The SLE4442 is a popular smart card with 256bytes of protected EEPROM storage. You can buy blanks to play with for a few dollars, or pick some up at your local copy center. The advantage to buying them is that you’ll know the security code and be able to write to the card.
Hack a Day looked at the SLE4442 using the Bus Pirate, but the article uses v0a hardware and a very early firmware. This is an updated quick guide to reading a SLE4442 with v2go and firmware v2.2+. Refer to the original article for an in depth look at the SLE4442 and its data layout.
Chip: SLE4442, protected EEPROM smart card.
Bus: 2 wire + reset, pull-up resistors to 5volts required.
Power requirements: 5volts.
References: datasheet [PDF], Hack a Day demonstration.
Complete Bus Pirate session log for this demonstration.
| Bus Pirate | SLE4442 |
| MOSI | DATA |
| CLOCK | CLOCK |
| CS | RESET |
| +5volts | +5volts |
| Vpullup | +5volts |
| GND | GND |
Note that firmware v2.1+ moves the SLE4442 RESET control from AUX to the CS pin.
1. Connect the SLE4442 and configure the Bus Pirate
Connect the Bus Pirate to the SLE4442 as shown in the table above.
HiZ>m<<<mode menu
1. HiZ
…
7. RAW2WIRE
…
(1) >7<<<choose raw2wire mode
Mode selected
Set speed:
1. Slow(~5KHz)
2. Fast(~50KHz)
(1) >2<<<any speed is ok
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1) >1<<<open drain outputs
READY
RAW2WIRE>
In the Bus Pirate terminal open the mode menu (M) and select the raw2wire library. Configure raw2wire for any speed and open drain/Hi-Z output types.
RAW2WIRE>W<<<power supplies on
POWER SUPPLIES ON
RAW2WIRE>p<<<configure pull-up resistors
1. Pull-ups off
2. Pull-ups on
(1) >2
Pull-up resistors ON
RAW2WIRE>l<<<configure bit order
1. MSB first
2. LSB first
(1) >2
LSB set: LEAST sig bit first
RAW2WIRE>
Next, enable the power supplies (big ‘W’) and turn on the pull-up resistors (menu p). The SLE4442 sends data least significant bit first, so configure the Bus Pirate for LSB data mode (menu l).
RAW2WIRE>c<<<toggle AUX command pin
AUX commands control
1. AUX (default)
2. CS/TMS
(1) >2
a/A/@ controls CS/TMS pin
RAW2WIRE>
Note that firmware v2.1+ moves the SLE4442 RESET control from AUX to the CS pin. v1 and v2 both have an on-board pull-up resistor on CS but not AUX. Configure the AUX commands to control the CS pin (menu c).
RAW2WIRE>i<<<get current settings
Bus Pirate v3
http://dangerousprototypes.com
Firmware v2.1
DEVID:0×0447 REVID:0×3042 (B4)
*———-*
POWER SUPPLIES ON
Voltage monitors: 5V: 5.0 | 3.3V: 3.3 | VPULLUP: 5.0 |
a/A/@ controls CS/TMS pin
Open drain outputs (H=input, L=GND)
Pull-up resistors ON
LSB set: LEAST sig bit first
*———-*
RAW2WIRE>
This demonstration takes a lot of configuration steps. The information command (i) displays the current mode settings. Press i and verify the mode settings: power supplies on, pull-up resistors enabled, AUX command controls CS pin, and data is read LSB first.
2. Interrogate the card with a ISO 7813 Answer to Reset command
RAW2WIRE>(1)<<<ISO 7813 ATR macro
ISO 7813-3 ATR (RESET on CS)
RESET HIGH, CLOCK TICK, RESET LOW<<<send command
ISO 7813-3 reply (LSB first): 0xA2 0×13 0×10 0×91<<<read 4 bytes
Protocol: 2 wire<<<protocol according to ATR
Read type: to end<<<read abilities
Data units: 256<<<data length
Data unit length (bits): 8<<<each unit is 8bits/1byte
RAW2WIRE>
Many smart cards respond to a standard command called an ‘ISO7813 Answer to Reset’. The ATR command returns some basic information about the card that helps universal card readers identify the protocol and data length. Read more about the ATR signal in the original SLE4442 demo at Hack a Day.
Note: the ATR reply is always sent LSB, so the ATR macro will automatically adjust the bit order to LSB even if it isn’t configured in the library. This feature was deprecated in v2.5 at a reader’s request. Evidently some smartcards ATR most significant bit first!
3. Dump the SLE4442 smart card data
RAW2WIRE>{0×30 0 0xff} r:255 r:10
(\-/_\)I2C START BIT
WRITE: 0×30<<<read instruction
WRITE: 0×00<<<begin read address
WRITE: 0xFF<<<doesn’t matter
(_/-\)I2C STOP BIT
READ 0xFF BYTES:<<<read 255 data bytes
0xA2 0×13 0×10 0×91 0×46 0xFF 0×81 0×15 0xFF 0×01 0×4B 0×03 0×00 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xD2 0×76 0×00 0×00 0×04 0×09 0xFF 0xFF 0xFF 0xFF 0xFF
0×7B 0×14 0xAE 0×47 0xE1 0×7A 0×94 0×3F 0×4C 0×46 0xC6 0×3B 0×00 0×00 0×00 0×00
0×20 0×08 0×03 0×04 0×09 0×57 0×04 0×04 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0×30 0×31 0×33 0×34 0×30 0×30 0×31 0×33 0×36 0×35 0×36 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×43 0×61 0×73 0×68 0×20 0×43 0×75 0×73 0×74 0×6F 0×6D 0×65
0×72 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×39
0×39 0×31 0×31 0×00 0×31 0×30 0×31 0×00 0×30 0×30 0×30 0×30 0×30 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×03 0×00 0×00 0×01 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×00
0×00 0×00 0×00 0×00 0×00 0×00 0×00 0×20 0×08 0×03 0×04 0×09 0×57 0×04 0×04 0×00
0×00 0×00 0×00 0×00 0×00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0×00 0×00
READ 0×0A BYTES:<<<read one data byte and then a few extras
0×00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
RAW2WIRE>
Finally, we dump the card. { generates an I2C-like start bit, 0×30 is the read command, 0 is the read start address, 0xff doesn’t matter, and } generates an I2C-like stop bit. r:255 r:10 reads all 256 data bytes, plus a few extra byte, to make sure we reached the end of the card. See the Hack a Day article to decode the data.
Tags: sle4442, smart card
-
This is really cool stuff. I’d class my self as a beginner in this.
I have a few questions though
A) on this line “0xA2 0×13 0×10 0×91<<<read 4 bytes" is that an equavilent to the ASCII:
(tried to convert it using the ascii table)0xA2 =
0xA = new line.
0×2 = start of text.etc etc…
B) How do you tell the difference between hexadecimal data and hexadecimal instructions?
C) The instructions it provides they're in the datasheet right?
D) The data it provides how do you decode that?
E) Could you recomend any material explaining this?
Not usually the type ask a crapload of questions in a comment, but i've been reading about and got more and more confused. Any help is appriciated!
Tutorials like this really are inspiring!
Thanks a lot, Rob -
Hi Rob,
A) The text you copied is from the Bus Pirate smartcard macro telling us that it is reading four bytes, that whole sequence is initiated with the (1) macro. It has meaning, which you can decode with the datasheet (not ASCII), but the BUs PIrate does that for us:
Protocol: 2 wire<<<protocol according to ATR
Read type: to end<<<read abilities
Data units: 256<<<data length
Data unit length (bits): 8<<<each unit is 8bits/1byte(everything after << prompt.
C)Yes, this is entirely documented in the datasheet, I just followed along.
D&E)The card is just a 256byte storage device with some security features, the format of the data depends on the user of the card. For the popular copy center cards, follow the link at the very end of the article for more info on how to decode the actual data.
-
Thanks for explaining!
Suppose the moral of this story is “s’all in the datasheet.”
Could all of this be done without the datasheet?
Say for instance you hooked it up to a game controller with no knowledge of the chips, could you try and reverse the protocol with a logic analyzer, capturing data. pressing a button then guessing which byte was which?
Been seeing a lot of the bus pirate recently! Heard nothing but good reviews.
Thanks again Ian.
-
No problem. It would be hard to do it without the datasheet, but it is often done. The Bus Pirate is a tool to help do what you describe. It has a (low-speed) logic analyzer to look at signals. It has protocol sniffers to watch data too (I2C, SPI, UART). I can be used to interact with devices, and has macros for common operations like decoding smart card headers, or scanning an I2C bus for chip addresses.
-
-
-
Yeah it seems a really usefull tool.
SparkFun freeday is coming up and i’ve been strugling between the Saleae Logic analyzer and a Buspirate.
Seems both would be ideal, I could attach the logic analyzer to the chip and send it commands with the buspirate?
Which would you go for o-o?
-
I use that combination all the time.
Get the Saleae for free, it’s $150 bucks.
Get the Bus Pirate at Seeed Studio because it’s only $30 (including shipping), and sales at Seeed support further development of this open source project:
http://www.seeedstudio.com/depot/preorder-4-bus-pirate-v3-assembled-p-592.html-
Alright yeah.
Promise i’ll buy one from seeed in Jan 2010.
Thanks Ian. Great help!
-
-
-
whats the use of putting Vpullup to +5volts?
10 comments
Comments feed for this article