SLE4442 Smart Card adapter (KF-011C)

ian · April 16, 2024, 1:10pm

That looks right. Starting here, I went through the card features. Also try:

sle4442

To probe the card and decode the ATR.

grymoire · April 16, 2024, 2:06pm

Okay. Following along in your notes…

First step was the (1) macro - which no longer exists. I assume that’s “sle4442 init”
Second - a minor bug. When I pasted your command

2WIRE>  [ 0x34 0 0 ] r:4
Invalid command: [. Type ? for help.

This was caused by a space before the “[”

Third - I’m using a blank 3rd party card. 0x34 and ox31 report all ones and I get this error

 sle4442 dump
--SLE44xx decoder--
ATR: 0xa2 0x13 0x10 0x91
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8
Error reading security memory

Is this because it’s locked?

grymoire · April 16, 2024, 2:18pm

I just tried a SIM card from 2005 (I bought a collection off ebay) using the holder on the upper right.

This worked

HDPLXUART> {        

RST HIGH
HDPLXUART> a 2 ; @ 2
IO2 set to OUTPUT: 0

IO2 set to INPUT: 1

HDPLXUART> 0x3b 0xbc 0x94 0x00 0x40 0x14 0x47 0x47 0x33 0x48 0x33 0x35 0x58 0x53 0x32 0x30 0x30 0x30

Although the command “sim” did nothing.

I haven’t had success with the smaller, more recent sim card on the smaller holder on the upper left. I only have a couple to use.

ian · April 16, 2024, 2:36pm

    if(secmem[0]<=7){
        return true;
    }

The error means the remaining number of password attempts is greater than 0b111, which is basically saying the card doesn’t respond (all ones or something).

I pushed an update that will show the security memory contents if there is an error, then we can see whats going on.

If you get all ones for [0x31 0 0] r:4, then there is something going wrong. Power is 3.3v? Pull-ups are on? Speed is <50kHz?

Couple things:

Make sure LSB mode is enabled L, or the commands won’t be in the right order
I believe you must first do an ATR before accessing the card, so be sure to first for }D{^}r:4 at the start of each session
The card is read to end, so you have to finish the full read (be it 256 bytes EEPROM, 4 bytes protection/security memory)

grymoire · April 16, 2024, 4:35pm

Hmm.

Bus Pirate 5 REV10
Firmware main branch (2024-04-16T12:20:49Z)
RP2040 with 264KB RAM, 128Mbit FLASH
S/N: 32104F0B33CC62E4
https://BusPirate.com/
Storage:   0.10GB (FAT16 File System)

Configuration file: Not Detected
Available modes: HiZ 1-WIRE UART HDPLXUART I2C SPI 2WIRE DIO LED
Active mode: HW2WIRE (speed)=(0)
Display format: Auto
Data format: 8 bits, LSB bitorder
Pull-up resistors: ON
Power supply: ON (3.3V/3.29V)
Current limit: OK (9.0mA/100.0mA)
Frequency generators: OFF


WIRE> }D{^}r:4        

RST LOW
Delay: 1ms
RST HIGH
Tick clock: 1
RST LOW
RX: 0xA2 0x13 0x10 0x91 
2WIRE> [0x31 0 0] r:4

I2C START
TX: 0x31 
TX: 0 0 
I2C STOP
RX: 0xFF 0xFF 0xFF 0xFF 
2WIRE> [0x34 0 0] r:4

I2C START
TX: 0x34 
TX: 0 0 
I2C STOP
RX: 0xFF 0xFF 0xFF 0xFFI2C START
TX: 0x31 
TX: 0 0 
I2C STOP
RX: 0xFF 0xFF 0xFF 0xFF 
2WIRE> sle4442 init
--SLE44xx decoder--
ATR: 0xa2 0x13 0x10 0x91
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8
Error reading security memory

ian · April 16, 2024, 4:49pm

Thank you. That’s really strange. Does this also happen with the card I sent with the adapter?

grymoire · April 16, 2024, 5:56pm

Cancel my last post. Really stupid mistake. Continuing with the testing…

ian · April 16, 2024, 6:19pm

No stupid mistakes, only opportunity to improve things and add guard rails for us all.

grymoire · April 17, 2024, 1:03pm

Trust me, it was dumb. But I am a pioneer!

grymoire · April 17, 2024, 2:13pm

I got a results of
0x3b 0x3d 0x95 0x00 0x80 0x67 0xaf 0x03 0x0f 0x01 0x7c 0x06 0x0e 0x83 0x3e 0x9f 0x16

Nice.
The decoder is actually This link but I could not copy/paste the output because the ATR parser didn’t like the “0x” prefix.

Wishlist: It would be convenient to output the results in hex without the “0x” before each byte, so I could paste it as is.

Instead I simply copied the ATR string and in a shell window I typed
echo <pasted result> | sed 's/0x//g'
And I then copied this to paste into the ATR decoder.

And it tells me it’s a (Sprint) Nextel USA iDEN SIM card, It’s an old TMobile SIM, so I think that’s right…Excellent…

I purchased these old SIM cards 20 years ago - they were expired. Some of them still had text messages in them. Is there any way I can use the BP to dump this data?

grymoire · April 17, 2024, 2:19pm

I’m not clear how to use the “sim” command.

HDPLXUART> help mode
Peer to peer HALF DUPLEX asynchronous protocol with open drain bus.
Requires pull-up resistors

BPCMD	     |                      DATA(8/9 bits)                  |
	IDLE |STRT| D7 | D6 | D5 | D4 | D3 | D2 | D1 | D0 |PRTY|STOP|IDLE
TXD	"""""|____|{##}|{##}|{##}|{##}|{##}|{##}|{##}|{##}|{##}|""""|"""""
RXD	"""""|____|{##}|{##}|{##}|{##}|{##}|{##}|{##}|{##}|{##}|""""|"""""
	              ^sample moment

Connections:
	RXTX	------------------ RXTX
	GND	------------------ GND

{	use { to print data as it arrives
}/]	 use } or ] to stop printing data

HDPLXUART mode commands:
sim	Description not set. Try -h for command help

HDPLXUART> sim

HDPLXUART> sim -h
usage:
sim	[-h(elp)]

open UART with raw data IO, usb to serial bridge mode
-h	Get additional help

ian · April 17, 2024, 2:21pm

Love it!

Not yet, I haven’t made it to that yet. The best reference I’ve seen is this thesis paper. It seems like there’s a series of headers that are a little file system and you drill down into the stored data. My goal is to get this going with the sim command.

ian · April 17, 2024, 2:23pm

The sim command is a place holder. I started it, but there’s no accessible functionality yet.

lawrence · April 17, 2024, 2:53pm

For some exploring I have been using pysim-shell from osmocom.
pySim-shell — osmopysim-usermanual documentation

Instead of trying to put all this in buspirate might be better to make buspirate look like a pscs reader…

(Currently head down with simtrace2, a man in the middle for SIM and mobile data modem)

grymoire · April 17, 2024, 5:09pm

That’s an EXCELLENT idea.
BTW, I think I had this kit from Lady Ada and some of the SIMS, when dumped, showed TXT messages. A raw dump would reveal them, I expect.

ian · April 17, 2024, 7:44pm

Oh man, that’s so old school! It comes up in my searches for SIM card stuff from time to time. It really takes me back! Serial ports! That site layout! It was all so fashionable at the time.

lawrence · April 18, 2024, 9:23am

Been checking and pysim has a transport for a basic (phoenix) serial card reader. Which appears to be this sort of interface https://circuitsarchive.org/circuits/smartcard/smartcard-pc-serial-reader-writer-phoenix/.
So buspirate as an interface convertor, tty over USB on oine side and card socket on the other.

ian · April 18, 2024, 9:54am

I think we can support this with a transparent UART bridge command, similar to what is supported in the 2 wire UART mode.

ian · April 19, 2024, 11:38am

The latest build has a bridge command in the half duplex uart mode to test with pysim.

Enter Half duplex UART mode and configure as above
Enable power and pull-ups
Enable the PWM clock
type bridge and the Bus Pirate will just convert data back and forth.
Close the terminal
Use pysim with the Bus pirate’s USB CDC port

However

I jumped the gun on this a bit. It looks like they use the RTS signal to trigger the RESET pin. I need to figure out how to get the RTS signal from TinyUSB and implement this functionality.

ian · April 19, 2024, 12:14pm

I pushed an update that I think will put the RTS signal on IO2 during the bridge command. This should let it work with pysim. Untested at this moment.