Skip to main content
Topic: Cracking SLE4428 with usb pirate sniffing (Read 610 times) previous topic - next topic

Cracking SLE4428 with usb pirate sniffing

Hi guys i need an help with a SLE4428 1024Kb. I want to find the psc code. This card works on a little cofee machine and it store credit info inside its memory. Here a dump of the first 66Bytes

92 23 10 91 FF FF 81 13 FF FF FF FF FF FF FF FF FF FF FF FF FF D2 76 00 00 04 00 FF FF FF FF FF 05 04 08 01 02 00 01 02 00 00 00 00 00 04 00 00 05 00 00 00 00 02 00 00 00 00 00 00 05 06 00 00 00 00 00 00 08 06 00 00 08 00 00 00 07 03 00 00 00 00 00 00 FF 03 0A FF FF FF 08 08 00 00 FF FF A5 FF FF FF 26 61 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

The bold byte store the credit. it decrease every time i choose a coffee. The vendors that manage the credits does not exist anymore so i have to crack this smartcard in order to use the machine. I connected the bus pirate directly to the smart reader of the coffee machine,
Mosi = I/o
CLock to clock
CS to reset.

This is what i read from the sniffer :

 Parameters used:
 Device = COM3,  Speed = 115200, Clock Edge= 1, Polarity= 0 RawData= 0

 Opening Bus Pirate on COM3 at 115200bps...
 Starting SPI sniffer...
 Configuring Bus Pirate...
 Entering binary mode...
 Switching to SPI mode
 Setting Clockedge/Polarity ...... CKE=1OK
01 Sync
5B [5C C9 0xC9(FF 0xFF)5C C4 0xC4(FF 0xFF)5C 08 0x08(FF 0xFF)5C 89 0x89(FF 0xFF)5D ]
5B [5C 32 0x32(FF 0xFF)5C 43 0x43(FF 0xFF)5D ]
5B [5C 7F 0x7F(FF 0xFF)5C 80 0x80(FF 0xFF)5D ]
5B [5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5D ]
5B [5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5C FF 0xFF(FF 0xFF)5D ]
5B [5C 7F 0x7F(FF 0xFF)5C 80 0x80(FF 0xFF)5D ]
5B [5C 52 0x52(FF 0xFF)5C FF 0xFF(FF 0xFF)5D ]
5B [5C F0 0xF0(FF 0xFF)5C 10 0x10(FF 0xFF)5D ]
5B [5C 08 0x08(FF 0xFF)5C 40 0x40(FF 0xFF)5D ]
5B [5C 20 0x20(FF 0xFF)5C 00 0x00(FF 0xFF)5D ]
5B [5C 60 0x60(FF 0xFF)5C 28 0x28(FF 0xFF)5D ]
5B [5C 00 0x00(00 0x00)5C 00 0x00(00 0x00)5D ]

i Also tried with clock edge at 0 and i have this

 Parameters used:
 Device = COM3,  Speed = 115200, Clock Edge= 0, Polarity= 0 RawData= 0

 Opening Bus Pirate on COM3 at 115200bps...
 Starting SPI sniffer...
 Configuring Bus Pirate...
 Entering binary mode...
 Switching to SPI mode
 Setting Clockedge/Polarity ......OK
01 Sync
5B [5C 49 0x49(00 0x00)5C C4 0xC4(00 0x00)5C 08 0x08(00 0x00)5C 89 0x89(00 0x00)5D ]
5B [5C 64 0x64(00 0x00)5C 86 0x86(00 0x00)5D ]
5B [5C FE 0xFE(00 0x00)5C 00 0x00(00 0x00)5D ]
5B [5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5C FF 0xFF(00 0x00)5D ]

I think that the data is not correct! I dont see any psc verify ! what do u think about it?
Datasheet of 4428 is here https://www.futurlec.com/Smart_Card_001.shtml

Re: Cracking SLE4428 with usb pirate sniffing

Reply #1
Hi dowhile.

5B [5C C9 0xC9(FF 0xFF)5C C4 0xC4(FF 0xFF)5C 08 0x08(FF 0xFF)5C 89 0x89(FF 0xFF)5D ]

It appears that you are reading your card in MSB format while it needs to be read in LSB order.
In fact 0xC9 0xC4 0x08 0x89 is the ATR of the card even if actually 0xC9 MSB is equal to 0x93 LSB and not 0x92:

92 23 10 91 FF FF 81 13 FF FF FF FF FF FF FF FF FF FF FF FF FF D2 76 00 00 04 00 FF FF FF FF FF 05 04 08 01 02 00 01 02 00 00 00 00 00 04 00 00 05 00 00 00 00 02 00 00 00 00 00 00 05

Be seeing you.
 
U.Sb