sniffing communication between PIC and SLE4442

Hacking multi-tool. Get one for $30, including worldwide shipping.

sniffing communication between PIC and SLE4442

Postby kaliginium » Mon Jul 10, 2017 9:06 am

Hi,

actually I did it. I have 2 arduinos one master, second slave and I am able to sniff their communication.

Just now I have a device with PIC procesor, which is communicating with SLE4442 card and I want to know, what is communication between them. When I connect BP between them I get this:

][0x0C+0x00+][0x0C+0x10+][0x0C+0x08+][0x0C+0x18+][0x0C+0x04+][0x0C+0x14+][0x0C+0x0C+][0x0C+0x1C+][0x0C+0x02+][0x0C+0x12+][0x0C+0x0A+][0x0C+0x1A+][0x0C+0x06+][0x0C+0x16+][0x0C+0x0E+][0x0C+0x1E+]]

It is such kind of incremental value, but I know, that PIC is reading from card some first bytes of memory.
Is it possible to sniff communication between CARD and PIC with I2C sniffer ?
kaliginium
Newbie
Newbie
 
Posts: 4
Joined: Fri Jul 07, 2017 9:57 am

Re: sniffing communication between PIC and SLE4442

Postby USBEprom » Mon Jul 10, 2017 1:11 pm

Hi kaliginium.

kaliginium wrote:Is it possible to sniff communication between CARD and PIC with I2C sniffer ?


Yes, it is.
Please, take a look at this:

viewtopic.php?f=4&t=7914#p63509

There the protocol is not I2C, it is something like 2WIRE but actually you must use SPI.

Be seeing you.

U.Sb
USBEprom
Full Member
Full Member
 
Posts: 121
Joined: Wed Mar 14, 2012 4:09 pm

Re: sniffing communication between PIC and SLE4442

Postby kaliginium » Tue Jul 11, 2017 5:29 am

Hi,

I follow instruction and still no success at all.

In OLS I sniff communication between PIC and SLE4442 and get some data. Then I used SPI Analyzer and setup them according to instruction a I get analysis. see the attachment.

when I use card reader and get several first Bytes of memory and get:

A2 13 10 91 FF FF 81 15 53 41 4C 54 31 05 55 22
33 34 00 00 00 D2 76 00 00 04 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

only bytes 13 10 91 are correct. other bytes are incorrect. only I know is, that PIC is reading several first bytes. but what I want is to sniff the command PIC is sending to SLE..
Attachments
sniffer.png
kaliginium
Newbie
Newbie
 
Posts: 4
Joined: Fri Jul 07, 2017 9:57 am

Re: sniffing communication between PIC and SLE4442

Postby USBEprom » Tue Jul 11, 2017 2:10 pm

Hi kaliginium.

kaliginium wrote:
A2 13 10 91 FF FF 81 15 53 41 4C 54 31 05 55 22
33 34 00 00 00 D2 76 00 00 04 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF



That is the ATR (A2 13 10 91) followed by the partial content of the card memory (whole content is 256 bytes or 2048 bits).
Please take a look here:

https://yaehob.wordpress.com/2014/08/26 ... irate-gui/

Unless you are reading the card it does not mean that what the OLS is showing match with it.
You need the data sheet of the card in order to decode the bus looking for the control bytes listed in there.

kaliginium wrote:
only bytes 13 10 91 are correct. other bytes are incorrect.



I do not think so.
ATR is correct then analyzer too must be and so data flow is consistent.
Nothing could be wrong, simply data does not match because OLS is showing data bus, not the content of the card.
Actually that is not a dump of part of the 256 bytes, it is a mix of commands + data + transactions.
Repeat that with the help of the data sheet you need to looking for specific control bytes in order to understand commands and data flow.

So as not to overlook anything make sure that the OLS client is set as follows:

LSB first (Least Significant Bit first)
Bits 8 (8 Bits per transfer)
Auto-detect [Mode 0 (CPOL = 0, CPHA = 0)]

Is it so for you?

Be seeing you.

U.Sb
USBEprom
Full Member
Full Member
 
Posts: 121
Joined: Wed Mar 14, 2012 4:09 pm

Re: sniffing communication between PIC and SLE4442

Postby kaliginium » Wed Jul 12, 2017 2:33 am

Hi,

in datasheet, there are described transmission and mechanism of start and stop bits. Thus SPI analyzer will not decode that.

In this case there I do not know other variant than decode that bit mannualy. I hope there is some tool.
kaliginium
Newbie
Newbie
 
Posts: 4
Joined: Fri Jul 07, 2017 9:57 am

Re: sniffing communication between PIC and SLE4442

Postby USBEprom » Wed Jul 12, 2017 2:25 pm

Hi kaliginium.
I mean manually.
Simply you must looking for the specific command you want and see what data follow it.
I meant something like searching for these:

00110000 0x30 – Read Main Memory
00111000 0x38 – Update Main Memory
00110100 0x34 – Read Protection Memory
00111100 0x3C – Write Protection Memory
00110001 0x31 – Read Security Memory
00111001 0X39 - Update Security Memory
00110011 0x33 – Compare Verification Data

Take a closer look to the datasheet, there is all you really need.
OLS is a very powerful and versatile device but in this case its weakness is that it can collect only a limited amount of data.
As explained in the link I wrote it is better if you use SPIsniffer with your Bus Pirate.
In that way you can collect a bunch of data than in the end you can analyze simply with a text editor like notepad or something else like that.

Be seeing you.

U.Sb
USBEprom
Full Member
Full Member
 
Posts: 121
Joined: Wed Mar 14, 2012 4:09 pm


Return to Bus Pirate Support