Dumping An Unknown SmartCard

by **backXslash** » Wed Dec 05, 2012 12:52 am

Hey guys, long time lurker, first time poster.

I've got an unknown SmartCard on my hands. I'm using a Bus Pirate v3b with firmware v5.10 (r559) and bootloader v4.4. The contact layout is identical to the pictures in the datasheet for the Atmel AT88SC102. And with that I have exhausted all the knowledge I have of the card.

When hooked up to the Bus Pirate in the same way as the SLE4442, it doesn't seem to reply at all, and returns only 0xFF to any query. I've appended the doc sheets from Atmel to the end of the post.

The card is a laundry card, and stores credits for the washer and dryer machines in my apartment complex. The "fill station" appears to be just a writer that checks the value on the card, then adds however many credits you feed it to that value, then writes it back to the card. The machines themselves appear to simply check the value of the card, then deduct a set amount from it, and write it back to the card. None of the machines are internet connected.

Pictures of the card and reader I'm using are available here:

Can anyone offer insight as to how I go about A) finding out more about the card, and B) dumping and/ or manipulating the data on the card?

by **ian** » Wed Dec 05, 2012 1:21 am

Welcome to the forum. The spam filter will pass after 24 hours.

Your best bet is to sent the standard ATR (?) query that should return data about the card. There's more about manipulating that manually in my old Hack a Day article at one of the SLE4442 links in the manual. If it doesn't respond, it could be non-standard and I have no idea where to go from there.

Either way, you will likely be able to probe the contents if it is standard, but most systems will use a key so you won't be able to write or change the data without the key.

by **backXslash** » Wed Dec 05, 2012 11:53 am

I added the photos and manuals to the first post.

Let me get everything set up the way I had it last night, and maybe someone can point out a flaw in what I've got going on.

by **backXslash** » Wed Dec 05, 2012 12:16 pm

Set up is as follows:

Bus Pirate v3b
Firmware v5.10 (r559) Bootloader v4.4
DEVID:0x0447 REVID:0x3043 (24FJ64GA002 B5)
http://dangerousprototypes.com
CFG1:0xFFDF CFG2:0xFF7F
*----------*
Pinstates:
1.(BR) 2.(RD) 3.(OR) 4.(YW) 5.(GN) 6.(BL) 7.(PU) 8.(GR) 9.(WT) 0.(Blk)
GND 3.3V 5.0V ADC VPU AUX SCL SDA - -
P P P I I I O I I I
GND 3.13V 5.01V 0.00V 5.03V L H H H H
Power supplies ON, Pull-up resistors ON, Open drain outputs (H=Hi-Z, L=GND)
LSB set: LEAST sig bit first, Number of bits read/write: 8
a/A/@ controls CS pin
R2W (spd hiz)=( 1 1 )
*----------*

When I issue the command (1) [The ATR macro], it returns the following:

ISO 7816-3 ATR (RESET on CS)
RESET HIGH, CLOCK TICK, RESET LOW
ISO 7816-3 reply (uses current LSB setting): 0xFF 0xFF 0xFF 0xFF
Protocol: RFU
Read type: variable length
Data units: RFU
Data unit length (bits): 128

But it does so regardless of whether or not the card is in the reader.

by **backXslash** » Wed Dec 05, 2012 1:53 pm

There's the actual hook up. The green probe is the purple wire on the bus pirate, clock, the white one is cs, the red one is the orange 5v+, black is ground, yellow is the gray MOSI wire.

by **cybergibbons** » Thu Dec 06, 2012 6:02 am

I personally don't care, but I think some people won't like the fact that this looks like you are trying to avoid paying for credits.

I would normally deal with this by using a sniffer board and my Salaea Logic. Once the protocol is worked out, the bus pirate can be used.

by **ian** » Fri Dec 07, 2012 3:10 am

You might try switching the least significant bit setting with L/l before doing the ATR. You have the pullup pin (Vpu) connected to the +5 right?

by **matseng** » Fri Dec 07, 2012 3:57 am

Might be a stupid question, but have you tried another card? Like you ATM card or whatever?

(Unless you're in US where "the eighties called and wanted their magstripes back" ^_^)

by **backXslash** » Fri Dec 07, 2012 8:26 pm

ian wrote:You might try switching the least significant bit setting with L/l before doing the ATR. You have the pullup pin (Vpu) connected to the +5 right?

I'm gunna try that now. And yes, I do have the VPU pin attached to the 5v line off a stripped USB plug

by **backXslash** » Fri Dec 07, 2012 8:29 pm

No go on the LSB MSB settings. Anything else? I mean it's acting like the card isn't even there.

by **ian** » Mon Dec 10, 2012 2:52 am

My guess is it is not a standard card that responds to the ISO ATR command. There are so many cards, many use something totally custom instead of the ATR standard.