SLE4442 Smart Card adapter (KF-011C)

General
27

2WIRE> (1)
ATR: 0xa2 0x13 0x10 0x91
–SLE44xx decoder–
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8

2WIRE mode 20KHz, 3.3volts, pull-ups enabled. RST is connected to IO2. Macro (1) performs the ISO 7816-3 Answer To Reset (ATR) sequence and attempts to decode it.

2WIRE> L
Bitorder: LSB 0b00000001

These cards operate in the less-used Least Signification Bit (LSB) byte/word format. Enter L to set the Bus Pirate to LSB mode.

2WIRE> [0x30 0 0] r:256
I2C START
TX: 0x30
TX: 0 0
I2C STOP
RX: 0xA2 0x13 0x10 0x91 0xFF 0xFF 0x81 0x15
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xD2 0x76 0x00
0x00 0x04 0x00 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF

Commands are signaled by an I2C like start and stop sequence. As we saw from the ATR, the card must be read all at once (256 bytes) before it accepts another command.

  • I2C Start
  • Command 0x30 to dump memory
  • Starting at address 0
  • The second zero is don’t care/dummy
  • I2C Stop
  • Read all 256 bytes at once.

The ATR is repeated and then some data about the card. (what is it? don’t know yet)

2WIRE> [ 0x34 0 0] r:4
I2C START
TX: 0x34
TX: 0 0
I2C STOP
RX: 0xFF 0xFF 0xFF 0xFF
2WIRE>

0x34 reads protected memory

2WIRE> [ 0x31 0 0] r:4
I2C START
TX: 0x31
TX: 0 0
I2C STOP
RX: 0x07 0x00 0x00 0x00
2WIRE>

0x31 read security memory

2WIRE> = 0x07
=0x07 =7 =0b00000111

The first byte is the error counter. We have three tries left on this card.

image
image770×337 25.4 KB

  • [0x39 0 0]^:500
  • [0x33 1 0xff] ^:500
  • [0x33 2 0xff] ^:500
  • [0x33 3 0xff] ^:500
  • [0x39 0x00 0xff] ^:500
  • [0x31 0 0] r:4

image
image764×201 17.2 KB

Processing commands need clock ticks. 255 or so, I did 500 to be safe. Most cards are default password 0xff 0xff 0xff. It seems like this sequence should be done on a single line - I did each step separately and burned out two protection bits before I got it unlocked.

2WIRE> [0x39 0 0]^:500 [0x33 1 0xff] ^:500 [0x33 2 0xff] ^:500 [0x33 3 0xff] ^:500 [0x39 0x00 0xff] ^:500 [0x31 0 0] r:4

I2C START
TX: 0x39
TX: 0 0
I2C STOP
Tick clock: 500
I2C START
TX: 0x33
TX: 1
TX: 0xFF
I2C STOP
Tick clock: 500
I2C START
TX: 0x33
TX: 2
TX: 0xFF
I2C STOP
Tick clock: 500
I2C START
TX: 0x33
TX: 3
TX: 0xFF
I2C STOP
Tick clock: 500
I2C START
TX: 0x39 0x00 0xFF
I2C STOP
Tick clock: 500
I2C START
TX: 0x31
TX: 0 0
I2C STOP
RX: 0x07 0xFF 0xFF 0xFF
2WIRE>

0x07 means we have 3 tries (0b111) left, meaning the attempt was successful and the card is unlocked and the tries counter reset.

1 Like