SLE4442 (FedEx Kinko's) smart card update
From DP
The SLE4442 is a popular smart card with 256bytes of protected EEPROM storage. You can buy blanks to play with for a few dollars, or pick some up at your local copy center. The advantage to buying them is that you'll know the security code and be able to write to the card.
Hack a Day looked at the SLE4442 using the Bus Pirate, but the article uses v0a hardware and a very early firmware. This is an updated quick guide to reading a SLE4442 with v2go and firmware v2.2+. Refer to the original article for an in depth look at the SLE4442 and its data layout.
Contents |
Overview
- Chip: SLE4442, protected EEPROM smart card.
- Bus: 2 wire + reset, pull-up resistors to 5volts required.
- Power requirements: 5volts.
- References: datasheet [PDF], Hack a Day demonstration.
- Complete Bus Pirate session log for this demonstration.
| SLE4442 | |
| MOSI | DATA |
| CLOCK | CLOCK |
| CS | RESET |
| +5volts | +5volts |
| Vpullup | +5volts |
| GND | GND |
Note that firmware v2.1+ moves the SLE4442 RESET control from AUX to the CS pin.
Bus Pirate setup
1. Connect the SLE4442 and configure the Bus Pirate
Connect the Bus Pirate to the SLE4442 as shown in the table above.
HiZ>m<<<mode menu
1. HiZ
...
7. RAW2WIRE
...
(1) >7<<<choose raw2wire mode
Mode selected
Set speed:
1. Slow(~5KHz)
2. Fast(~50KHz)
(1) >2<<<any speed is ok
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1) >1<<<open drain outputs
READY
RAW2WIRE>
In the Bus Pirate terminal open the mode menu (M) and select the raw2wire library. Configure raw2wire for any speed and open drain/Hi-Z output types.
RAW2WIRE>W<<<power supplies on
POWER SUPPLIES ON
RAW2WIRE>p<<<configure pull-up resistors
1. Pull-ups off
2. Pull-ups on
(1) >2
Pull-up resistors ON
RAW2WIRE>l<<<configure bit order
1. MSB first
2. LSB first
(1) >2
LSB set: LEAST sig bit first
RAW2WIRE>
Next, enable the power supplies (big 'W') and turn on the pull-up resistors (menu p). The SLE4442 sends data least significant bit first, so configure the Bus Pirate for LSB data mode (menu l).
RAW2WIRE>c<<<toggle AUX command pin
AUX commands control
1. AUX (default)
2. CS/TMS
(1) >2
a/A/@ controls CS/TMS pin
RAW2WIRE>
Note that firmware v2.1+ moves the SLE4442 RESET control from AUX to the CS pin. v1 and v2 both have an on-board pull-up resistor on CS but not AUX. Configure the AUX commands to control the CS pin (menu c).
RAW2WIRE>i<<<get current settings
Bus Pirate v3
http://dangerousprototypes.com
Firmware v2.1
DEVID:0x0447 REVID:0x3042 (B4)
POWER SUPPLIES ON
Voltage monitors: 5V: 5.0 | 3.3V: 3.3 | VPULLUP: 5.0 |
a/A/@ controls CS/TMS pin
Open drain outputs (H=input, L=GND)
Pull-up resistors ON
LSB set: LEAST sig bit first
RAW2WIRE>
This demonstration takes a lot of configuration steps. The information command (i) displays the current mode settings. Press i and verify the mode settings: power supplies on, pull-up resistors enabled, AUX command controls CS pin, and data is read LSB first.
Interfacing
2. Interrogate the card with a ISO 7813 Answer to Reset command
RAW2WIRE>(1)<<<ISO 7813 ATR macro
ISO 7813-3 ATR (RESET on CS)
RESET HIGH, CLOCK TICK, RESET LOW<<<send command
ISO 7813-3 reply (LSB first): 0xA2 0x13 0x10 0x91<<<read 4 bytes
Protocol: 2 wire<<<protocol according to ATR
Read type: to end<<<read abilities
Data units: 256<<<data length
Data unit length (bits): 8<<<each unit is 8bits/1byte
RAW2WIRE>
Many smart cards respond to a standard command called an 'ISO7813 Answer to Reset'. The ATR command returns some basic information about the card that helps universal card readers identify the protocol and data length. Read more about the ATR signal in the original SLE4442 demo at Hack a Day.
Note: the ATR reply is always sent LSB, so the ATR macro will automatically adjust the bit order to LSB even if it isn't configured in the library. This feature was deprecated in v2.5 at a reader's request. Evidently some smartcards ATR most significant bit first!
3. Dump the SLE4442 smart card data
RAW2WIRE>{0x30 0 0xff}\ r:255 r:10
(\-/_\)I2C START BIT
WRITE: 0x30<<<read instruction
WRITE: 0x00<<<begin read address
WRITE: 0xFF<<<doesn't matter
(_/-\)I2C STOP BIT
CLOCK, 0<<<return clock low (v4+ update!!)
READ 0xFF BYTES:<<<read 255 data bytes
0xA2 0x13 0x10 0x91 0x46 0xFF 0x81 0x15 0xFF 0x01 0x4B 0x03 0x00 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xD2 0x76 0x00 0x00 0x04 0x09 0xFF 0xFF 0xFF 0xFF 0xFF
0x7B 0x14 0xAE 0x47 0xE1 0x7A 0x94 0x3F 0x4C 0x46 0xC6 0x3B 0x00 0x00 0x00 0x00
0x20 0x08 0x03 0x04 0x09 0x57 0x04 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0x30 0x31 0x33 0x34 0x30 0x30 0x31 0x33 0x36 0x35 0x36 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x43 0x61 0x73 0x68 0x20 0x43 0x75 0x73 0x74 0x6F 0x6D 0x65
0x72 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x39
0x39 0x31 0x31 0x00 0x31 0x30 0x31 0x00 0x30 0x30 0x30 0x30 0x30 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x03 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x20 0x08 0x03 0x04 0x09 0x57 0x04 0x04 0x00
0x00 0x00 0x00 0x00 0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x00 0x00
READ 0x0A BYTES:<<<read one data byte and then a few extras
0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
RAW2WIRE>
Finally, we dump the card. { generates an I2C-like start bit, 0x30 is the read command, 0 is the read start address, 0xff doesn't matter, and } generates an I2C-like stop bit. \ returns the clock low after the stop bit to prepare for the next read. r:255 r:10 reads all 256 data bytes, plus a few extra byte, to make sure we reached the end of the card. See the Hack a Day article to decode the data.
Update: in v4 firmware the I2C stop was updated to be more compliant, but as a result the clock line isn't returned low and the smartcard read is corrupted. To work around this, we updated this demo to manually place the clock low (\) after the stop bit (}). This command can be included in previous versions too with no ill effects because the clock is already low.
