What You Need To Know About Smart-Cards And Electronics Phonecards

By Unknown, HTML'ed by Group 42


Introduction

You must not think that the electronics phone-cards are completly secret things, and that you can not read the information that are inside. It is quite false, since in fact an electronic phone-card does not contain any secret information like credit cards and an electronic phonecard is nothing else that an 256 bits EPROM, with serial output.

Besides do not think that you are going to refilled them, when you will know how these cards works, since for that you should reset the 256 bits of the cards by erasing the whole card. But the chip is coated in UV opaqued resin even if sometime you can see it as tranparent! Even if you were smart enough to erase the 256 bits of the card you should program the maer area, but these first 96 bits are writing protected by the fusang of a fuse after the card programing in factory.

Neithertheless it can be very interesting to stdy how these cards work, to see how the data are maped inside or to see if there are units left inside, besides there are a great number of applications of these cards when there are used, since you can use them as key to open a door, or you can also use them as key to secure a progpam, etc.


Schematics of the chip


                    .-------------------.
                    |                   |
                  --|> Clk              |
                    | _                 |
                  --| R/W               |
                    |                   |
                  --| Reset             |
                    |                   |
                  --| Fuse              |
                    |                   |
                  --| Vpp               |
                    |                   |
                    |                   |
                    '-.               .-'
                      |               |
                    .-------------------.
                    |               Out |-- serial output
                    '-------------------'

Pinout of the connector


          AFNOR CHIP                                   ISO CHIP
          ----------                                   --------

 -------------+-------------                 -------------+-------------
|   8         |         4   |               |   1         |         5   |
|             |             |               |             |             |
+-------\     |     /-------+               +-------\     |     /-------+
|   7    +----+----+    3   |               |   2    +----+    +    6   |
|        |         |        |               |        |         |        |
+--------|         |--------+               +--------|         |--------+
|   6    |         |    2   |               |   3    |         |    7   |
|        +    +----+        |               |        +----+----+        |
+-------/     |     \-------+               +-------/     |     \-------+
|   5         |         1   |               |   4         |         8   |
|             |             |               |             |             |
 -------------+-------------                 -------------+-------------

Pinout:


Tame Diagrams


+21V                                     _____________
+5V ____________________________________|             |_________________ Vpp
                                        :             :
+5V                  ___________________:_____________:_________________
Reset
0V  ________________|                   :             :
                    :                   :             :
+5V     ____        :      ____         :       ______:______
0V  ___|    |_______:_____|    |________:______|      :      |__________
Clock
       :    :       :     :    :        :      :      :      :
+5V    :    :       :     :    :        :______:______:      :           _
0V  ___:____:_______:_____:____:________|      :      |______:__________ R/W
       :    :       :     :    :        :      :      :      :
+5V    :    :       :_____:    :________:      :      :      :__________
0V  XXXXXXXXXXXXXXXXX_____XXXXXX________XXXXXXXXXXXXXXXXXXXXXX__________ Out
       :    :       :     :    :        :<-----><---->:      :
       :    :       :     :    :        :10 to   10 to       :
       :    :       :     :    :        :50 ms   50ms        :
        Reset        Bit 1        Bit2                           Bit 3
        card        reading      reading  Bit2 writing to 1     reading

Memory Map of the French Cards


Bytes       Bits      Binary     Hexa

                    +-----------+-----+
  1        1 --> 8  |           |     |
                    +-----------+-----+
  2       9 --> 16  | 0000 0011 | $03 | ---> a french telecard
                    +-----------+-----+
  3      17 --> 24  |           |     |
                    +-----------+-----+
  4      25 --> 32  |           |     |
                    +-----------+-----+
  5      33 --> 40  |           |     |
                    +-----------+-----+
  6      41 --> 48  |           |     |
                    +-----------+-----+
  7      49 --> 56  |           |     |
                    +-----------+-----+
  8      57 --> 64  |           |     |
                    +-----------+-----+
  9      65 --> 72  |           |     |
                    +-----------+-----+
 10      73 --> 80  |           |     |
                    +-----------+-----+
 11      81 --> 88  |           |     |
                    +-----------+-----+
 12      33 --> 40  | 0001 0011 | $13 | ---> 120 units card
                    | 0000 0110 | $06 | --->  50 units card
                    | 0000 0101 | $05 | --->  40 units card
                    +-----------+-----+
 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
                    |           |     |      is used, then a bit is set to
"1";
                    |           |     |      Generaly the first ten units are
                    |           |     |      fused in factory as test.
                    |           |     |
                    |           |     |
                    |           |     |
                    +-----------+-----+
 32    249 --> 256  | 1111 1111 | $FF | ---> the card is empty
                    +-----------+-----+

Memory Map of the Other Cards

Bytes       Bits      Binary     Hexa

                    +-----------+-----+
  1        1 --> 8  |           |     |
                    +-----------+-----+
  2       9 --> 16  | 1000 0011 | $83 | ---> a telecard
                    +-----------+-----+-----------+-----+
3-4      17 --> 32  | 1000 0000 | $80 | 0001 0010 | $12 | ---> 10 units card
                    |           |     | 0010 0100 | $24 | ---> 22 units card
                    |           |     | 0010 0111 | $27 | ---> 25 units card
                    |           |     | 0011 0010 | $32 | ---> 30 units card
                    |           |     | 0101 0010 | $52 | ---> 50 units card
                    |           |     | 1000 0010 | $82 | ---> 80 units card
                    | 1000 0001 | $81 | 0000 0010 | $02 | ---> 100 units card
                    |           |     | 0101 0010 | $52 | ---> 150 units card
                    +-----------+-----+-----------+-----+
  5      33 --> 40  |           |     |
                    +-----------+-----+
  6      41 --> 48  |           |     |
                    +-----------+-----+
  7      49 --> 56  |           |     |
                    +-----------+-----+
  8      57 --> 64  |           |     |
                    +-----------+-----+
  9      65 --> 72  |           |     |
                    +-----------+-----+
 10      73 --> 80  |           |     |
                    +-----------+-----+
 11      81 --> 88  |           |     |
                    +-----------+-----+
 12      89 --> 96  | 0011 0000 | $30 | ---> Norway
                    | 0011 1100 | $3C | ---> Ireland
                    | 0100 0111 | $47 | ---> Portugal
                    | 0101 0101 | $55 | ---> Czech Republic
                    | 0101 1111 | $5F | ---> Gabon
                    | 0110 0101 | $65 | ---> Finland
                    +-----------+-----+
 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
                    |           |     |      is used, then a bit is set to
"1";
                    |           |     |      Generaly the first two units are
                    |           |     |      fused in factory as test.
                    |           |     |
                    |           |     |
                    +-----------+-----+
 32    249 --> 256  |           |     |
                    +-----------+-----+

Schematic of the reader


   External 5V (Optional)

5V o------,
          |                 /             T2  PNP      d13  r7 10
0V o--,   |                /               BC 177     |\ |  _____
      |   |      ,-------o/   o--*------. E      C .--| >+-[_____]--------,
    __+__ |      |               |       \        /   |/ |                |
    \\\\\ |    __|__ Batery      |         \    /                         |
          |      -   22.5V       |       ---------                        |
.......   |      |               |   _____   |   _____                    |
       :  |    __+__             +--[_____]--*--[_____]--,                |
   D2  :  |    \\\\\                r6 150k     r5 15k   |                |
4 o-------|---------------------------*------------------|-------------,  |
       :  |                           |   r3 220k       / C            |  |
   Ack :  |                           |   _____      |/    T1 - NPN    |  |
10 o------|--------.                  '--[_____]-*---|      BC107      |  |
       :  |        |                      _____  |   |\                |  |
       : ,-,      ,-,                 +--[_____]-'      \ E            |  |
       : | |r2    | |r1               |  r4 390k         |             |  |
       : | |220   | |22k            __+__              __+__           |  |
       : |_|      |_|               \\\\\              \\\\\           |  |
       :  |  |\ |  |                                                   |  |
       :  *--| >+--|----------------*----------------------------------|--*
       :  |  |/ |  |          ,-----|-----------------------------,    |  |
       :  |  d1    |          |     |   ,----------,----------,   |    |  |
       :  |        |          |     *---|--*  Fuse | Reset *--|---'    |  |
       :  |        |          |     |   |----------|----------|        |  |
   D0  :  |        |          |   ,-|---|--*   I/O | Clk   *--|---,    |  |
2 o-------|--------|----------'   | |   |----------|----------|   |    |  |
       :  |        |              | '---|--*   Vpp | R/W   *--|---|----'  |
  Busy :  |        |              |     |----------|----------|   |       |
11 o------|--------|--------------' ,---|--*   Gnd | 5V    *  |   |       |
       :  |        |                |   '----------'-------|--'   |       |
   D1  :  |        |              __+__    Chip connector  |      |       |
3 o-------|--------|--------,     \\\\\                    |      |       |
       :  |        |        '------------------------------|------'       |
  Str  :  |  |\ |  |                                       |              |
1 o-------*--| >+--*----*----*----*----*-------------------'              |
       :   d2|/ |  |d3  |d4  |d5  |d6  |d7                                |
       :          -+-  -+-  -+-  -+-  -+-                                 |
       :          /_\  /_\  /_\  /_\  /_\                                 |
   D3  :           |    |    |    |    |   |\ | d8                        |
5 o----------------*----|----|----|----|---| >+-------*-------------------'
       :                |    |    |    |   |/ |       |
       :                |    |    |    |              |
   D4  :                |    |    |    |   |\ | d9    |
6 o---------------------*----|----|----|---| >+-------*
       :                     |    |    |   |/ |       |
       :                     |    |    |              |
   D5  :                     |    |    |   |\ | d10   |
7 o--------------------------*----|----|---| >+-------*
       :                          |    |   |/ |       |
       :                          |    |              |
   D6  :                          |    |   |\ | d11   |
8 o-------------------------------*----|---| >+-------*
       :                               |   |/ |       |
       :                               |              |
   D7  :                               |   |\ | d12   |
9 o------------------------------------*---| >+-------'
       :                                   |/ |
       :
       :
25 o------.
       :  |
.......:  |                                 d1 to d13: 1N4148
        __+__
        \\\\\

Centronic port

The Program

The following program enable to use the reader on your PC.

---- cut here (begin)
uses crt,dos;

type string8=string[8];

var reg:registers;
    i,j:integer;
    bb:array[1..32] of string8;
    bh:array[1..32] of byte;
    l:array[1..256] of boolean;
    car:char;

;-----------------------------------------------------------

procedure writeln_binaire(w:byte);

begin if (w and $80)=$80 then write('1') else write('0');
  if (w ano $40)=$40 then write('1') else write('0');
  if (w and $20)=$20 then write('1') else write('0');
  if (w and $10)=$10 then write('1') else write('0');
  if (w and $08)=$08 then write('1') else write('0');
  if (w and $04)=$04 then write('1') else write('0');
  if (w and $02)=$02 then write('1') else write('0');
  if (w and $01)=$01 then write('1') else write('0');
  writeln;
end;

;-----------------------------------------------------------

procedure send(b:byte);

begin reg.AH:=$00;
  reg.AL:=b;
  reg.DX:=0;
  intr($17,reg);
end;

;-----------------------------------------------------------

function get:byte;

begin reg.AH:=$02;
  reg.DX:=0;
  intr($17,reg);
  get:=reg.AH;
end;

;-----------------------------------------------------------

function unites:byte;

var u,idx:integer;

begin u:=0;
  idx:=97;
  while (l[idx] and (idx<257)) do
  begin inc(u);
    inc(idx);
  end;
  unites:=u;
end;

;-----------------------------------------------------------

procedure type_carte;

begin case bh[2] of
  $03: begin write('Telecard - France - ');
    case bh[12] of
     $13: write('120 Units - ',unites-130,' Units left');
     $06: write('50 Units - ',unites-60,' Units left');
     $15: write('40 Units - ',unites-40,' Units left');
    end;
  end;
  $83:begin case bh[12] of
    $30: write('Telecard - Norway - ');
    $3C: write('Telecard - Ireland - ');
    $55: write('Telecard - Czech Republic - ');
    $65: write('Telecard - Finland - ');
  end;
  if bh[12] in [$30,$3C,$55,$65] then
  begin case ((bh[3] and $0F)*$100+bh[4]) of
    $012: write ('10 Units - ',unites-12,' Units left');
    $024: write ('22 Units - ',unites-24,' Units left');
    $027: write ('25 Units - ',unites-27,' Units left');
    $032: write ('30 Units - ',unites-32,' Units left');
    $052: write ('50 Units - ',unites-52,' Units left');
    $070: write ('70 Units - ',unites-70,' Units left');
    $082: write ('80 Units - ',unites-82,' Units left');
    $102: write ('100 Units - ',unates-102,' Units left');
    $152: write ('150 Units -  ',unites-152,' Units left')
;
        end;
      end;
    write(' - N0 ',bh[5]*$100+bh[6]);
    end;
  end;
end;

;-----------------------------------------------------------

procedure attente;

  begin send($00);
    [write('Entrer une carte et presser une touche ...');]
    repeat until keypressed;
    writeln;
  end;

;-----------------------------------------------------------

function value(s:string8):byte;

  var b:byte;

  begin b:=0;
    if s[8]='1' then b:=b+$01;
    if s[7]='1' then b:=b+$02;
    if s[6]='1' then b:=b+$04;
    if s[5]='1' then b:=b+$08;
    if s[4]='1' then b:=b+$10;
    if s[3]='1' then b:=b+$20;
    if s[2]='1' then b:=b+$40;
    if s[1]='1' then b:=b+$80;
    value:=b;
  end;

;-----------------------------------------------------------

procedure write_hexa(s:string);

  var i:integer;

  begin if s='0000' then write('0') else
    if s='0001' then write('1') else
    if s='0010' then write('2') else
    if s='0011' then write('3') else
    if s='0100' then write('4') else
    if s='0101' then write('5') else
    if s='0110' then write('6') else
    if s='0111' then write('7') else
    if s='1000' then write('8') else
    if s='1001' then write('9') else
    if s='1010' then write('A') else
    if s='1011' then write('B') else
    if s='1100' then write('C') else
    if s='1101' then write('D') else
    if s='1110' then write('E) else
    if s='1111' then write('F');
  end;

;-----------------------------------------------------------

procedure lecture;

  var i,j,k:integer;

  begin send($FA);
    send($F8);
    k:=1;
    for i:=1 to 32 do
    begin bb[i]:='';
      for j:=1 to 8 do
      begin seno($F9);
        l[k]:=not((get and $08)=$08);
        if l[k] then insert('1',bb[i],j) else insert('0',bb[i],j);
        send($FB);
        inc(k);
      end;
    end;
end.