I just received my BP6 and sim / smart IC reader. I’ve successfully read the two test cards that came with the reader, so I snagged a few expired bank cards I had sitting in a drawer to see if I could read data from their chips.
I followed Mobile SIMs & Bank IC Cards | Bus Pirate 5 Firmware but I’ve been unsuccessful reading all three of these cards.
Card 1 is a debit card issued by a well-known bank. Trying to elicit ATR from the card just gets me: 0xdd 0xb8 0xc0 0x6d 0xab 0x4b 0xf2
Card 2 is a debit card issued by another well-known bank. Attempting to do ATR just gets me: 0x5b
Card 3 is a debit card branded by a major retailer, and has markings on the back which say Gemalto MGY - U1095501A. Attempting ATR returns: 0xdd 0x78 0x74 0x6d 0x4b 0xab 0xfd
Am I doing something wrong?
ian
January 9, 2025, 10:58am
2
Let’s have a look. Can you please paste the output of the Bus Pirate terminal, including setup, configuring the PWM and the output from the cards?
Absolutely!
Card #1:
HiZ> m
Mode selection
1. HiZ
2. 1-WIRE
3. UART
4. HDUART
5. I2C
6. SPI
7. 2WIRE
8. 3WIRE
9. DIO
10. LED
11. INFRARED
x. Exit
Mode > 4
Use previous settings?
UART speed: 9600 baud
Data bits: 8
Parity: Even
Stop bits: 2
y/n, x to exit (Y) > y
Mode: HDUART
HDUART> W 3.3
3.30V requested, closest value: 3.30V
Current limit:Disabled
Power supply:Enabled
Vreg output: 3.3V, Vref/Vout pin: 3.3V, Current: 7.8mA
HDUART> 0xff P
Pull-up resistors: Enabled (10K ohms @ 3.3V)
HDUART> G
Generate frequency
Choose available pin:
1. IO1
2. IO2
3. IO3
4. IO4
5. IO5
6. IO6
7. IO7
x. Exit
> 1
Period or frequency (ns, us, ms, Hz, kHz or Mhz) > 3.5712mhz
Frequency: 3.571MHz = 3571200Hz (3.57MHz)
Period: 280ns (280.02ns)
Actual frequency: 3571428Hz (3.57MHz)
Actual period: 280ns (280.00ns)
Duty cycle (%) > 50%
Duty cycle: 50.00% = 140ns (140.00ns)
Actual duty cycle: 148ns (148.24ns)
Divider: 16, Period: 34, Duty: 18
Generate frequency: Enabled on IO1
HDUART> [
UART OPEN (ASYNC READ)
HDUART> a 2; @ 2
IO2 set to OUTPUT: 0
IO2 set to INPUT: 1
HDUART> 0xdd 0xb8 0xc0 0x6d 0x4b 0xab 0xfd ]
UART CLOSE
HDUART>
Vout: 3.29V | Pull-ups: ON |
1.Vout 2.IO0 3.IO1 4.IO2 5.IO3 6.IO4 7.IO5 8.IO6 9.IO7 10.GND
002.9mA RXTX PWM - - - - - - GND
3.3V 3.3V 3.6M 3.3V 3.3V 3.3V 3.3V 3.3V 3.3V GND
The other cards have the results noted above. If you’d like me to paste the output for them as well, I can do so later this afternoon.
Thanks!
2 Likes
ian
January 9, 2025, 1:36pm
4
No, that’s great, thank you. It looks right to me. I will try to duplicate it now.
1 Like
ian
January 9, 2025, 2:43pm
5
Thank you so much for the bug report. The latest firmware has a fix .
This was a Bus Pirate 6 specific issue.
Here is the response to a Bus Pirate 5 ATR from a credit card. The protocol analyzer is able decode the serial protocol.
Here is Bus Pirate 6. The analyzer shows errors, but also decodes that 0xdd you ATR started with.
The sim card response is timed directly by the clock/PWM that we setup. If the data isn’t looking right, it’s probably the clock.
Didn’t bother with a photo, but the scope shows BP5 IO1 clock/PWM right at 3.5712MHz, and the BP6 clock at 4.12MHz-ish. Great, we’re close!
The RP2040 has a 125mhz system clock vs 133mhz (?) for the RP2350. Something isn’t mathing right.
uint32_t clock = 125000000;
There we go, the PWM frequency calculation assumes a fixed clock speed.
uint32_t clock = clock_get_hz (clk_sys);
Updated to use the built in function to retrieve the actual system clock.
There we go! Same as BP5
5 Likes
ian:
The RP2040 has a 125mhz system clock vs 133mhz (?) for the RP2350. Something isn’t mathing right.
uint32_t clock = 125000000;
There we go, the PWM frequency calculation assumes a fixed clock speed.
uint32_t clock = clock_get_hz (clk_sys);
Updated to use the built in function to retrieve the actual system clock.
Amazingly quick turnaround on this, Ian! Thank you!
I’ve applied build 9940da5 to my BP6 and confirmed it does, indeed, work now. Thanks again!
3 Likes
ian
January 9, 2025, 9:12pm
7
Thank you for the confirmation. So glad it worked! I was a bit worried going into this bug, but it turned out to be an easy one.
Thank you again for the bug report. Please let me know if you have any other issues or thoughts
3 Likes
Having read that epic thread before buying my BP6, I think I understand your trepidation. I’ll admit the same thought occurred to me, too - but I figured you’d be able to determine if that was the case far quicker than I could!
Thanks again, and I’ll definitely keep you posted if I see any other unexpected behavior.
2 Likes
classic case of a bug where a lowlevel measurement immediately makes the bug easier to track down. was that one “solid-colour” channel a clock measurement?
2 Likes
ian
January 10, 2025, 12:30pm
10
Yes indeed! It is the 3.xxxxMHz clock/PWM that clocks the SIM card.
2 Likes