A Study of Smart Cards

Cards are quite an interesting species of object that have invaded our lives in every way: we either use them for public transit, laundry, gift cards, phone cards, credit cards etc… One could gather quite a lot of power buy not only understanding their functioning, but also by being able to tamper their data. I must admit that I have absolutely no knowledge (or almost) of those devices, but hopefully, by the end of this project, this will have completely changed.

Visual Study of Smart Cards

Smarts card are usually the size of the credit cards and dimensions are defined accordingly to the ISO/IEC 7810 standard. The standard defines four card sizes: ID-1, ID-2, ID-3 and ID-000. Smart cards are usually comprised in the ID-1 category although some are into the ID-000 category, which mostly comprise of SIM cards. Each of them are 0.76 mm thick. The properties are defined as follow1:

Example of a card using a chip
Example of a card using a chip
Format Dimension Usage
ID-1 85.60 × 53.98 mm Most banking cards and ID cards
ID-2 105 × 74 mm German ID cards issued prior to Nov 2010
ID-3 125 × 88 mm Passports and Visas
ID-000 25 × 15 mm SIM cards

The material use for the card is usually Polyvinyl chloride (PVC). Of course the most interesting item on rhe card is that golden connector. There are various type of connectors as shown in the picture below:

Different Layouts of Cardpads
Different Layouts of Cardpads

There are also three main types of smart cards: contact cards, contactless and vault cards [2]

The three main types of Smart Card available
The three main types of Smart Card available

Actually the two that are actually important in everybody’s life are the contact and contactless cards, the latest being use in public transit most of the time. For now I’ll concentrate on contact cards.

Contact Cards

Information is transferred using electrical connectors, i.e the golden chip on the card to the reader. Usually, the chip as around 8 connectors as follow:

Now contact cards are divided in two categories : memory cards and multiprocessor cards. Memory cards are furthermore divided into 3 categories:

  • Straight Memory Cards
  • Protected/Segmented Memory Cards
  • Stored Value Memory Cards

The Project

I recently got handed a laundry smart card and for some reason, got fascinated with it. I never really played with hardware but studying those devices have interested me to the point of studying them in a special project. The goal is to be able to modify the contents of the memory of the card. This project will be conducted in two phases :

  1. Dump the content of the memory into my computer
  2. Alter the content and write it back to the card

System Description

A client is handled a Smart Card called “SmartCity” from a company called Coinamatic, which provide laundry solutions to property managers. The card can be loaded and recharged using coins or debit/credit cards through “reload centers“. You can put up to 50$ maximum on the card. To use the facilites, you need to insert the card  into a slot built into the washers/dryers. The washer is a Commercial Energy Advantage Top Load Washer MAT14PRAWW model. The dryer is a 27″ Commercial Single-Load Electric Stack Dryer model MLE24PRAZW.

Next post : the card reader/writer

See also:

EMV 4.2 Specification, EMVCo, May 2008, http://emvco.com/ accessed on 2009-07-20

Infineon SLE4442, Flylogic Engineering’s Analytical Blog, December 1st, 2007, http://www.flylogic.net/blog/?p=17 accessed on 2009-07-20

How-to: Read a FedEx Kinko’s smart card (SLE4442), Ian Lesnet, Hack-a-day, November 28th, 2008, http://hackaday.com/2008/11/25/how-to-read-a-fedex-kinkos-smart-card-sle4442/, accessed on 2009-07-20

Intelligent 256-Byte EEPROM SLE 4432/SLE 4442, Siemens, 1995, http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf accessed on 2009-07-20

Kinko’s Smart Card (Siemens SLE4442 memory chip), Strom Calson, http://www.stromcarlson.com/projects/smartcard/format.pdf accessed on 2009-07-20

1K EEPROM – Security Logic with Two Application Zones AT88SC102, Atmel, 1999, http://www.datasheetcatalog.org/datasheet/atmel/DOC1419.PDF accessed on 2009-07-20

[1] ISO/IEC 7810, Wikipedia, http://en.wikipedia.org/wiki/ISO/IEC_7810 accessed on 2009-07-20

[2] Types of Chip Cards, Smart Card Basics, 2005,  http://www.smartcardbasics.com/cardtypes.html accessed on 2009-07-20

Author: Jonathan Racicot

INTJ, goa trance, RE, python, malware, wine, books, french bulldogs, genetics, biohacking, CtF, night owl, transhumanist, AI, machines, cyber ops.

7 thoughts on “A Study of Smart Cards”

  1. I came across this post, and i was wondering what head way you have made into modifying the card… I am also interested to see how these things work.

    1. Unfortunately, no. I’ve been lazy and I got a new job in a new town and new girlfriend, mix the three together and this is just another thing (the blog actually) that felt into the cracks. Fortunately things are getting quieter now and taking back (once again) charge of the blog. Thanks for your comment.

  2. Have you maybe made any more progress on this?

    My apartment building recently upgraded to these cards and I got fascinated by them as well. Specifically after I figured out that those machines aren’t connected to anything (at least in my building), and as such there’s virtually no way for them to check who used them and how much he had on the card.

    So I’ve been looking into it, trying to figure out which card reader I should use with it, etc…

    And actually, my idea is slightly simpler (maybe?) than yours — I was thinking about loading the max cash amount to my card, then dumping the data off the card to an image, and then simply cloning it… So in theory, if it would work, I could simply make as many cards as I want and use them, instead of actually trying to rewrite anything on the card.

    Anyway, here’s hoping that you will continue this interesting experiment 🙂

  3. In fact, Flylogic specifically state that PSC logic control allows one to fool the device into thinking a correct PSC has been entered, allowing the actual PSC value to be retrieved using command $31.

    If you look at the specs, write-access & other privileged commands cannot be DISabled via a command. The device has to be powered down. Simply providing a 5v loop to the device & then placing it in a host with the PSC means that you can then place the card into an appropriate reader/writer & command $31 to get the PSC – not secure for sure!

    1. Hi Borohydride. Can you help me.
      I’m not kidding you when i tell you I’ve been looking for days for the APDU commands for
      the sle5542 smart card.
      I have read the datasheet…and I still cant figure it out.
      The APDU RESET command is: FF A4 00 00 01 06
      The command I’m looking for is : Read security memory

      The command should look something all the same format as the “reset” command…..I’m aqssuming.

      I’m not sure why the codes are so hard to locate.

      If you could provide me with the command, I would appreciate it.

Leave a Reply

Your email address will not be published. Required fields are marked *