Skip to main content

Topics

This section allows you to view all Topics made by this member. Note that you can only see Topics made in areas you currently have access to.

Topics - dowhile

1
Bus Pirate Support / Cracking SLE4428 with usb pirate sniffing
Hi guys i need an help with a SLE4428 1024Kb. I want to find the psc code. This card works on a little cofee machine and it store credit info inside its memory. Here a dump of the first 66Bytes

92 23 10 91 FF FF 81 13 FF FF FF FF FF FF FF FF FF FF FF FF FF D2 76 00 00 04 00 FF FF FF FF FF 05 04 08 01 02 00 01 02 00 00 00 00 00 04 00 00 05 00 00 00 00 02 00 00 00 00 00 00 05 06 00 00 00 00 00 00 08 06 00 00 08 00 00 00 07 03 00 00 00 00 00 00 FF 03 0A FF FF FF 08 08 00 00 FF FF A5 FF FF FF 26 61 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

The bold byte store the credit. it decrease every time i choose a coffee. The vendors that manage the credits does not exist anymore so i have to crack this smartcard in order to use the machine. I connected the bus pirate directly to the smart reader of the coffee machine,
Mosi = I/o
CLock to clock
CS to reset.

This is what i read from the sniffer :

 Parameters used:
 Device = COM3,  Speed = 115200, Clock Edge= 1, Polarity= 0 RawData= 0

 Opening Bus Pirate on COM3 at 115200bps...
 Starting SPI sniffer...
 Configuring Bus Pirate...
 Entering binary mode...
 Switching to SPI mode
 Setting Clockedge/Polarity ...... CKE=1OK
01 Sync
5B [5C C9 0xC9(FF 0xFF)5C C4 0xC4(FF 0xFF)5C 08 0x08(FF 0xFF)5C 89 0x89(FF 0xFF)5D ]
5B [5C 32 0x32(FF 0xFF)5C 43 0x43(FF 0xFF)5D ]
5B [5C 7F 0x7F(FF 0xFF)5C 80 0x80(FF 0xFF)5D ]
5B [5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5D ]
5B [5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5D ]
5B [5C 7F 0x7F(FF 0xFF)5C 80 0x80(FF 0xFF)5D ]
5B [5C 52 0x52(FF 0xFF)5C FF 0xFF(FF 0xFF)5D ]
5B [5C F0 0xF0(FF 0xFF)5C 10 0x10(FF 0xFF)5D ]
5B [5C 08 0x08(FF 0xFF)5C 40 0x40(FF 0xFF)5D ]
5B [5C 20 0x20(FF 0xFF)5C 00 0x00(FF 0xFF)5D ]
5B [5C 60 0x60(FF 0xFF)5C 28 0x28(FF 0xFF)5D ]
5B [5C 00 0x00(00 0x00)5C 00 0x00(00 0x00)5D ]

i Also tried with clock edge at 0 and i have this

 Parameters used:
 Device = COM3,  Speed = 115200, Clock Edge= 0, Polarity= 0 RawData= 0

 Opening Bus Pirate on COM3 at 115200bps...
 Starting SPI sniffer...
 Configuring Bus Pirate...
 Entering binary mode...
 Switching to SPI mode
 Setting Clockedge/Polarity ......OK
01 Sync
5B [5C 49 0x49(00 0x00)5C C4 0xC4(00 0x00)5C 08 0x08(00 0x00)5C 89 0x89(00 0x00)5D ]
5B [5C 64 0x64(00 0x00)5C 86 0x86(00 0x00)5D ]
5B [5C FE 0xFE(00 0x00)5C 00 0x00(00 0x00)5D ]
5B [5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5D ]

I think that the data is not correct! I dont see any psc verify ! what do u think about it?
Datasheet of 4428 is here https://www.futurlec.com/Smart_Card_001.shtml

( ! ) Fatal error: Uncaught exception 'Elk_Exception' with message 'Please try again. If you come back to this error screen, report the error to an administrator.' in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
( ! ) Elk_Exception: Please try again. If you come back to this error screen, report the error to an administrator. in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
Call Stack
#TimeMemoryFunctionLocation
10.01242274784session_write_close ( )...(null):0
20.01272406384ElkArte\sources\subs\SessionHandler\DatabaseHandler->write( )...(null):0
30.01272407160Database_MySQL->query( ).../DatabaseHandler.php:119
40.05732545896Database_MySQL->error( ).../Db-mysql.class.php:273