Categories

Bus Pirate: SLE4442 smart card update

Posted on Monday, August 31st, 2009 in Bus Pirate by Ian

cover

This is an old version, see the latest version on the documentation wiki.

The SLE4442 is a popular smart card with 256bytes of protected EEPROM storage. You can buy blanks to play with for a few dollars, or pick some up at your local copy center. The advantage to buying them is that you’ll know the security code and be able to write to the card.

Hack a Day looked at the SLE4442 using the Bus Pirate, but the article uses v0a hardware and a very early firmware. This is an updated quick guide to reading a SLE4442 with v2go and firmware v2.2+. Refer to the original article for an in depth look at the SLE4442 and its data layout.

sle-pinout

Chip: SLE4442, protected EEPROM smart card.
Bus: 2 wire + reset, pull-up resistors to 5volts required.
Power requirements: 5volts.
References: datasheet [PDF], Hack a Day demonstration.
Complete Bus Pirate session log for this demonstration.

Bus Pirate SLE4442
MOSI DATA
CLOCK CLOCK
CS RESET
+5volts +5volts
Vpullup +5volts
GND GND

Note that firmware v2.1+ moves the SLE4442 RESET control from AUX to the CS  pin.

1. Connect the SLE4442 and configure the Bus Pirate

Connect the Bus Pirate to the SLE4442 as shown in the table above.

HiZ>m<<<mode menu
1. HiZ

7. RAW2WIRE

(1) >7<<<choose raw2wire mode
Mode selected
Set speed:
1. Slow(~5KHz)
2. Fast(~50KHz)
(1) >2<<<any speed is ok
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1) >1<<<open drain outputs
READY
RAW2WIRE>

In the Bus Pirate terminal open the mode menu (M) and select the raw2wire library. Configure raw2wire for any speed and open drain/Hi-Z output types.

RAW2WIRE>W<<<power supplies on
POWER SUPPLIES ON
RAW2WIRE>p<<<configure pull-up resistors
1. Pull-ups off
2. Pull-ups on
(1) >2
Pull-up resistors ON
RAW2WIRE>l<<<configure bit order
1. MSB first
2. LSB first
(1) >2
LSB set: LEAST sig bit first
RAW2WIRE>

Next, enable the power supplies (big ‘W’) and turn on the pull-up resistors (menu p). The SLE4442 sends data least significant bit first, so configure the Bus Pirate for LSB data mode (menu l).

RAW2WIRE>c<<<toggle AUX command pin
AUX commands control
1. AUX (default)
2. CS/TMS
(1) >2
a/A/@ controls CS/TMS pin
RAW2WIRE>

Note that firmware v2.1+ moves the SLE4442 RESET control from AUX to the CS  pin. v1 and v2 both have an on-board pull-up resistor on CS but not AUX. Configure the AUX commands to control the CS pin (menu c).

RAW2WIRE>i<<<get current settings
Bus Pirate v3
http://dangerousprototypes.com
Firmware v2.1
DEVID:0x0447 REVID:0x3042 (B4)
*———-*
POWER SUPPLIES ON
Voltage monitors: 5V: 5.0 | 3.3V: 3.3 | VPULLUP: 5.0 |
a/A/@ controls CS/TMS pin
Open drain outputs (H=input, L=GND)
Pull-up resistors ON
LSB set: LEAST sig bit first
*———-*
RAW2WIRE>

This demonstration takes a lot of configuration steps. The information command (i) displays the current mode settings. Press i and verify the mode settings: power supplies on, pull-up resistors enabled, AUX command controls CS pin, and data is read LSB first.

2. Interrogate the card with a ISO 7813 Answer to Reset command

RAW2WIRE>(1)<<<ISO 7813 ATR macro
ISO 7813-3 ATR (RESET on CS)
RESET HIGH, CLOCK TICK, RESET LOW<<<send command
ISO 7813-3 reply (LSB first): 0xA2 0x13 0x10 0x91<<<read 4 bytes
Protocol: 2 wire<<<protocol according to ATR
Read type: to end<<<read abilities
Data units: 256<<<data length
Data unit length (bits): 8<<<each unit is 8bits/1byte
RAW2WIRE>

Many smart cards respond to a standard command called an ‘ISO7813 Answer to Reset’. The ATR command returns some basic information about the card that helps universal card readers identify the protocol and data length.  Read more about the ATR signal in the original SLE4442 demo at Hack a Day.

Note: the ATR reply is always sent LSB, so the ATR macro will automatically adjust the bit order to LSB even if it isn’t configured in the library. This feature was deprecated in v2.5 at a reader’s request. Evidently some smartcards ATR most significant bit first!

3. Dump the SLE4442 smart card data

RAW2WIRE>{0x30 0 0xff}\ r:255 r:10
(\-/_\)I2C START BIT
WRITE: 0x30<<<read instruction
WRITE: 0x00<<<begin read address
WRITE: 0xFF<<<doesn’t matter
(_/-\)I2C STOP BIT
CLOCK, 0<<<return clock low (v4+ update!!)
READ 0xFF BYTES:<<<read 255 data bytes
0xA2 0x13 0x10 0x91 0x46 0xFF 0x81 0x15 0xFF 0x01 0x4B 0x03 0x00 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xD2 0x76 0x00 0x00 0x04 0x09 0xFF 0xFF 0xFF 0xFF 0xFF
0x7B 0x14 0xAE 0x47 0xE1 0x7A 0x94 0x3F 0x4C 0x46 0xC6 0x3B 0x00 0x00 0x00 0x00
0x20 0x08 0x03 0x04 0x09 0x57 0x04 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0x30 0x31 0x33 0x34 0x30 0x30 0x31 0x33 0x36 0x35 0x36 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x43 0x61 0x73 0x68 0x20 0x43 0x75 0x73 0x74 0x6F 0x6D 0x65
0x72 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x39
0x39 0x31 0x31 0x00 0x31 0x30 0x31 0x00 0x30 0x30 0x30 0x30 0x30 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x03 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x20 0x08 0x03 0x04 0x09 0x57 0x04 0x04 0x00
0x00 0x00 0x00 0x00 0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x00 0x00
READ 0x0A BYTES:<<<read one data byte and then a few extras
0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
RAW2WIRE>

Finally, we dump the card. { generates an I2C-like start bit, 0x30 is the read command, 0 is the read start address, 0xff doesn’t matter, and } generates an I2C-like stop bit. \ returns the clock low after the stop bit to prepare for the next read.  r:255 r:10 reads all 256 data bytes, plus a few extra byte, to make sure we reached the end of the card. See the Hack a Day article to decode the data.

Update: in v4 firmware the I2C stop was updated to be more compliant, but as a result the clock line isn’t returned low and the smartcard read is corrupted. To work around this, we updated this demo to manually place the clock low (\) after the stop bit (}). This command can be included in previous versions too with no ill effects because the clock is already low.

This entry was posted on Monday, August 31st, 2009 at 1:00 pm and is filed under Bus Pirate. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

16 Responses to “Bus Pirate: SLE4442 smart card update”

  1. Ian says:

    The forced LSB interpretation of the ATR was deprecated in v2.5 at a reader’s request. Evidently some smartcards ATR most significant bit first!

  2. Rob says:

    This is really cool stuff. I’d class my self as a beginner in this.

    I have a few questions though

    A) on this line “0xA2 0×13 0×10 0×91<<<read 4 bytes" is that an equavilent to the ASCII:
    (tried to convert it using the ascii table)

    0xA2 =
    0xA = new line.
    0x2 = start of text.

    etc etc…

    B) How do you tell the difference between hexadecimal data and hexadecimal instructions?

    C) The instructions it provides they're in the datasheet right?

    D) The data it provides how do you decode that?

    E) Could you recomend any material explaining this?

    Not usually the type ask a crapload of questions in a comment, but i've been reading about and got more and more confused. Any help is appriciated!

    Tutorials like this really are inspiring!
    Thanks a lot, Rob

  3. Ian says:

    Hi Rob,

    A) The text you copied is from the Bus Pirate smartcard macro telling us that it is reading four bytes, that whole sequence is initiated with the (1) macro. It has meaning, which you can decode with the datasheet (not ASCII), but the BUs PIrate does that for us:
    Protocol: 2 wire<<<protocol according to ATR
    Read type: to end<<<read abilities
    Data units: 256<<<data length
    Data unit length (bits): 8<<<each unit is 8bits/1byte

    (everything after << prompt.

    C)Yes, this is entirely documented in the datasheet, I just followed along.

    D&E)The card is just a 256byte storage device with some security features, the format of the data depends on the user of the card. For the popular copy center cards, follow the link at the very end of the article for more info on how to decode the actual data.

    • Rob says:

      Thanks for explaining!

      Suppose the moral of this story is “s’all in the datasheet.”

      Could all of this be done without the datasheet?

      Say for instance you hooked it up to a game controller with no knowledge of the chips, could you try and reverse the protocol with a logic analyzer, capturing data. pressing a button then guessing which byte was which?

      Been seeing a lot of the bus pirate recently! Heard nothing but good reviews.

      Thanks again Ian.

      • Ian says:

        No problem. It would be hard to do it without the datasheet, but it is often done. The Bus Pirate is a tool to help do what you describe. It has a (low-speed) logic analyzer to look at signals. It has protocol sniffers to watch data too (I2C, SPI, UART). I can be used to interact with devices, and has macros for common operations like decoding smart card headers, or scanning an I2C bus for chip addresses.

  4. Rob says:

    Yeah it seems a really usefull tool.

    SparkFun freeday is coming up and i’ve been strugling between the Saleae Logic analyzer and a Buspirate.

    Seems both would be ideal, I could attach the logic analyzer to the chip and send it commands with the buspirate?

    Which would you go for o-o?

  5. chipres says:

    whats the use of putting Vpullup to +5volts?

    • Ian says:

      The card can only be interfaced at 5volts. THe bus Pirate is 3.3votl output, so this demo uses the pullup resistors for 5volt interfacing. The vpu pin feed the 5volt supply to the pull-up resistors.

  6. acidblue says:

    Is there another resource for decoding the data from these cards?
    The link on the hack a day site appears to be dead.

  7. Borohydride says:

    Reading the card isn’t an issue – it’s grabbing that 3 byte PSC value that’s the important bit! I seem to remember that DC analysis revealed slightly different results resistance if, byte by byte, the (in)correct value is entered. Since it doesn’t actually fail & knock down the number of re-trys until the third byte is entered, it should be possible to knock down the 16777215 to 1 odds SLIGHTLY. In fact, since the device is serial, it may be possible to get down to evens before having to guess. 3 tries, 2 alternatives.

    I did wonder if once can perform a reset before the re-try value is decreased. There is a company in China (Set Chief) offering a device that simply gives the PSC within a few seconds. They don’t seem to be very good at English & I’m not about to waste $hundreds just because it’s kind of interesting. Still, shows (possibly) that it can be done.

  8. Moya Pateman says:

    Can you help?

    We run a hotel and our doors are activated by the FM SLE4442 Blank card. This system we inherited when we bought the hotel. We recently ordered some replacement card from a firm in China but we cannot seem to get them to work! We have an encoder and a decoder machine We put our number in and press manual to program the hotel door numbers in but all we seem to get is ” INIZIALISATION FAILED”. We used to have deal with KLEVER LOCKS based in Kent but Mr Andrew Fagg never answers our calls so we are at a loss as to where to go next. We are deperate to have our key cards working as we are getting extremely low now. Is there anything we are not doing to get these cards to activate the hotel doors.

    Would appreciate any advice you could give us.

    Regards

    Moya Pateman

  9. val kosta says:

    If you have the password of the smart card which command in 2wire mode you can use to write to the card ?

  10. val kosta says:

    I have done ATR on a smart and it is sayin the protocol is 3-wire.
    the question is do i need to connect the MISO pin anywhere on the smart card?

  11. hadar asaf says:

    hi sir
    i am working with the SLE 4442 can read and write but i do not know how to change the PSC (protect security code)
    can any one give me the code and the way how to change the PSC

    thanks
    Hadar Asaf

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Recent Comments

  • Inyaki: Hi, Would you si king to point me the corsair's single 12v rail supplies? I am interested on it but I can't find it.....
  • peter: In the middle of the geek reading I get a tweet. Here I am
  • icserny: Unfortunately the DIY PCB homepage.is no longer available. Something happened...
  • Lukas: Yes, that's also how I do it, use an extension cable or ar least a 'spacer', i.e. a male and female header soldered directly together....
  • Ja: This looks very interesting. Unfortunatelly looks like the website Is not working now.