|
 |
1. What is the chip-card and its application for the authorized access to the information
2. Creation of a "false" chip-card
3. Assembly programmer such as Ludipipo/JDM.
4. Chips-cards programming
5. Assembly of Smartmouse/Phoenix interface
1. What is a chip-card and its application for the authorized access to the information
The chip-card is a plate from a polymeric material in the sizes 85x54 mm and thickness of 0,76 mm, with located inside its microprocessor, memory, and with the contact platform serving for "dialogue" of a card with the terminal. Chip-cards (further simply a card) are used in many areas: in bank sphere, for payment of conversations from phones, for viewing the coded channels with receivers, in cellular telephones (the smaller card, named a SIM-card).
In two words a principle of work of a card is the next. There are some confidential keys stored in memory of a card, and the terminal is wishing to check up, whether the user has the rights of access. It sends an inquiry to a card, and the microprocessor of a card processes this request and gives out the necessary key. In case of the satellite terminal, that key is used in decoding of a digital television signal so any alterations with the receiver itself will not help to look encrypted programs. It is necessary to know keys and algorithm of an exchange of keys between a card and the satellite receiver.
The Example of the French telecard:
Originally contact platforms of cards were carried out under standard AFNOR (the contact platform was shifted to the top edge of a card), then standard ISO 7816-2 was accepted and all nowadays cards are carried out under this standard (just such is shown in figure above).
A contact platform of standard ISO 7816:
| 1 Vcc | Power supply (+5 V) |
| 2 Reset | The Reset signal |
| 3 Clock | Synchronization |
| 4 Reserved | |
| 5 Gnd. | Ground |
| 6 Reserved | |
| 7 I/O | Data input / output |
| 8 Reserved |
In general there are three versions of standard ISO 7816:
Cards are synchronous and asynchronous. Telephone cards are usually synchronous, they are less protected (frequently there is even no processor - memory only). In encryption systems of television signals asynchronous cards are used. Any asynchronous card according to standard ISO 7816-3 should give out the special message no more than in 33 bytes long right after Reset command. This answer is called ATR (answer to reset) and serves as the original "personal" signature of a card (it can be seen in some programs for work with cards, we will discuss it in a while). The very first byte has special value, and should be equal 3Fh or 3Bh. If the card gives out another value - it means that it's a non-standard or a synchronous, or a defective card. Data exchange with a card occurs in a half-duplex mode with the help of contact number 7 (I/O.)
For sending and getting commands with the help of a computer to/from a card it is used so-called connector. Usually Smartmouse or Phoenix-interface is used as a connector. It is connected to COM port of a computer. (I shall note widely popular belief that Smartmouse and Phoenix are programmers. They are not programmers! It's impossible to program anything with them!)
2. Creation of a "false" chip-card
A "false" chip-card which operates as or nearly as a real card, can be created using microchips of PIC family (PIC16F84 is usually used) of Microchip (http://www.microchip.ru/) company, and ATMEL AT90S8515 of Atmel (http://www.atmel.com/) company. Atmel chip is much more powerful, than PIC16F84, however piracy cards on its basis (they are named as FunCard) are less distributed for the present time. In this section we shall consider creation of a card on PIC16F84 microcircuit.
Brief PIC16F84 characteristics:
- Complete 10 Mhz CMOS microcontroller;
1K non-volatile memory for programs (on 14 bits);- 64 bytes of non-volatile memory for data;
- 36 general purpose registers;
- An opportunity of programming by a consecutive way (on any data wire);
- Ultralow power supply - 2V - 5V;
Opportunity of additional EEPROM connection;
- Cost is less 2.5 USD
More details about the chip 16C84 (it has much in common with 16F84) you can read here (in Russian): 16c84.zip. As PIC16F84 has not enough non-volatile memory, in modern piracy cards for a data storage in addition the separate chip of memory is used: EEPROM 24C16, 16 kilobits or 2 kilobytes (2048x8). 24C16 costs cheaply (~0.5 USD).
Data exchange with memory chip is going on under protocol I2C which consists of two lines (not including ground wires Vss and feed Vcc): SCL (synchronization) and SDA (data). Protocol I2C supports devices addressing that allows connecting to some devices of different type to the trunk. More details about a microcircuit 24C16 and about protocol I2C you can read in this file: x24c16.pdf or here (in Russian): I2C.html.
Cards.
So, for viewing the coded channels in SECA/Mediaguard or IRDETO coding you need a card containing microchip PIC16F84 and non-volatile memory EEPROM 24C16 (these cards are called two-chipped opposite to one-chipped, containing PIC only). Appearance of such card is submitted in figure.
Two-chipped pic-card:
By means of programmer a microprogram, EEPROM codes other service information are sewn up into a PIC microcircuit. It is possible to sew up PIC through a contact platform of a card, and EEPROM is necessary to soil out of a card or to take advantage of the Smartmouse/Phoenix-interface.
- PIC16F84
- EEPROM 24C16
Since codes should be changed rather frequently it is more convenient to make a card with panels (people call them "beds"), so it's easier to take a microcircuit out before sewing:
The electric circuit of a card is simple:
|
Contact
Platform |
PIC16F84
|
24C16
|
||
|
5
(Vss) |
--------
|
5
(Vss) |
--------
|
1,2,3,4,7
(A0,A1,A2,Vss) |
|
1
(Vcc) |
--------
|
14
(Vcc) |
--------
|
8
(Vcc) |
|
2
(RST) |
--------
|
4
(MCLR) |
||
|
3
(CLK) |
--------
|
12, 16
(RB6,CLKIN) |
||
|
7
(I/O) |
--------
|
13
(RB7) |
||
|
10 |
--------
|
5
(SDA) |
||
|
11
(RB5) |
--------
|
6
(SCL) |
The printed circuit for two-chips card (for microcircuits with the format-factor of case DIP) from Solo can be taken here: SoloPicCard.rar. More details about Solo card manufacturing it is possible to read on a site http://sateurope.com/viaccess/solo/solo.html in section "ΜΜ2 is simple". If you have a microcircuit in the case for superficial installation (SMD), the circuit can be taken from here smd-piccard.html.
3. Assembling programmer such as Ludipipo/JDM.
For programming a chip-card it is necessary to have a programmer. One of the most simple in manufacturing is Solo JDM programmer, which is an update of traditional Ludipipo programmer. Its electric circuit can be taken here: JDM_Scheme.gif. This prigrammator can program microcircuits PIC and EEPROM, simply having inserted them into appropriate beds (by turns, certainly), as well as PIC in a card. It's impossible to program EEPROM on a card, since Data and Clock contacts from EEPROM are not deduced onto a contact platform of a card. But it does not mean that EEPROM on a card can't be programmed at all. For this purpose Smartmouse and Phoenix interfaces exist. We will dic\scuss them in the fifth part of this article. The full description of JDM programmer from Solo isin this archive: jdm_prog.rar. I should say, that you can't use the zero-modem cable to connect programmer with a computer, as programmer has a standard 9-pin RS232 plug such as "mum". At desire, it is possible to do it without a cable at all; having inserted a plate of programmer directly into COM on a back wall of the system block.4. Chips-cards programming
So, everything is very simple:
A. We insert PIC microcircuit into programmer's bed (thus we try to insert it directly, instead of backwards), we run IC-Prog program (you can find this program and the other programs mentioned in this article in a software section).
First it is necessary to adjust the program, for what in the menu " Settings - Hardware " to choose programmer type as JDM, and number of COM-port to which it is attached.
Further:
1. Choose type of a microcircuit: " PIC 16F84 "
2. Load a bin-file
3. Choose Oscillator "XT"
4. Uncheck CP (Code Protect) if you do not want to protect a written down bin-file from reading.
5. Press the button of programming. After the process of programming has passed, the program automatically will execute verification. If you have left CP checked, verification will not pass, since it will be impossible to read the information from a microcircuit.
If some mistakes will occure, try to play with settings. I had to put I/O Delay on a maximum (the menu " Settings - Hardware ") for correct programming. Push Read All button for reading bin-files from pic.
B. We take out PIC and put EEPROM into programmer's bed. We select "24C16" and further we act similar to previous point. There are even less adjustments than for PIC. It is possible to program PIC without taking it out of a card. Simply it is necessary to insert a card into card-reader and to follow point A.
5. Assembly of Smartmouse/Phoenix interface
As already it was told above, the microcircuit of the memory which have been sealed-in in a card, can't be programmed by JDM programmer. But you see it has to be programmed more often, since codes to packages of channels are stored in it. But there is a way, and rather artful. The matter is that the card is arranged so, that the terminal sends inquiries to a card, and the microprocessor of a card answers in appropriate way. Such dialogue between a card and the terminal occurs everywhere: in satellite receivers, phone-automatic devices and so on. There is an appropriate device for a computer as well, it's a Smartmouse/Phoenix. Using it and the appropriate program it is possible to send inquiries to a card and to receive answers from it, studying the card. Smartmouse/Phoenix interface can work with any asynchronous card, legal and illegal, made according to the standard. For example, with the help of this device it is possible to send inquiries about updating of keys in legal cards (if the appropriate system of the coding is broken, otherwise it is not known, what inquiry to send). And so, it is possible to program the processor of a pic-card in such a way that the processor on a card will send all data to EEPROM microcircuit (you see the processor does not have any problems with access to the chip of memory). The appropriate insertion of the processor is called a Loader.
The algorithm of a card programming process is the next:
You can take the circuit of SmartMouse/Phoenix interface as well as Season interface here: 3in1.rar (author's development by SOLO). Interfaces Smartmouse and Phoenix differ among themselves only by frequency (Phoenix at 3.5Mhz, Smartmouse at 6Mhz) and Smartmouse besides has inverse reset. Therefore, if you need Phoenix only, you needn't to look for 6 Mhz quartz resonator. A cable from COM-port to the interface is the same, as for JDM.
- Take JDM programmer and put the loader into PIC (it usually comes along with WinPhoenix program).
- With the help of the Phoenix-interface and WinPhoenix program send a bin-file to a card and it gets there where it is necessary, i.e. into EEPROM microcircuit.
- Again take JDM programmer and put into PIC that bin-file from which the card should work.
P.S. 22.05.2001 - the new model of programmer from SOLO, combining JDM and Phoenix in itself has appeared. You can download it form here: SOLO-GWR.rar.
All rights on given article belong to Sergey Korostel.
The reprint and distribution in any kind is allowed under condition of a mention
of a name of the author and the address of this site.
Rights on SOLO hardware development belong to SOLO.
Translated by Anatoli Kiparuk
