Making Use of a Motorola Smart Card – Part 2

(Disclaimer: Smart card piracy is a very bad thing. This set of blog posts is NOT intended to further illegal hacking of paid services, but is merely a personal record of my research, which is not being done for any financial reasons but is only done for personal leisure. Besides, these cards won’t help you break scrambled TV signals, so don’t bother trying it :))

In between pulling all-nighters goofing off doing college homework and trying to stay marginally sane and/or healthy, I’ve been doing some more research into the cards. This time, I was a bit more invasive with my approach. However, I’ve found out a bit more about the card’s brains this way.

I’ve torn open one of the cards and taken a peek inside. The chip itself is a bit different in that the epoxy backing is molded much like a regular chip as opposed to the drop of epoxy used in many newer cards. The chip itself is pretty big, at 6mm x 4mm and with 0.1 mm thickness; the center gold pad is the entire area of the card.

There are many methods of getting the plastic off of a chip, and the more professional labs use fuming nitric acid (very nasty stuff) but one easy way to do so at home is using a blowtorch to burn the epoxy and simply chip it off with a toothpick. If it’s burnt thoroughly enough, the epoxy will just fall off the chip, revealing the pretty silicon underneath. I used a small butane torch to heat up the chip, which was done outside and on a piece of ceramic tile (safety first! :)) After a bit of picking at the chip, I was able to see the inner workings of the smart card’s chip.

I see 4 large blocks on the die but can’t tell much more without a microscope, and a 10x jewelry loupe only goes so far. My best guess is that the 4 blocks encompass the CPU, RAM, program ROM and maybe some EEPROM storage. There’s 14 pads on the chip; 5 pins are used for the contacts, maybe 2-3 for the radio interface, and the others might be for factory testing or programming  but it’s speculation at best.

Now hopefully my college prof won’t mind me using the classroom microscope later this week 🙂

Advertisements

Making Use of a Motorola Smart Card (part 1 of ???)

(Disclaimer: Trying to pirate satellite TV using hacked smart cards is dumb and wrong; I am writing this article merely to explore the card and the field of smart cards in general, and to provide some sort of documentation on this otherwise unknown card.)

Back in the summer I bought four generic, blank (I assume) Motorola brand smart cards from Active Surplus during my vacation to Toronto. Over the past few weeks I’ve been doing some research and hands-on testing of what this card is (in)capable of doing.

The card itself is an ISO 7816-compliant smart card that uses the asynchronous (UART) T=0 byte-wise protocol and communicates using industry standard APDU (application protocol data unit) commands.

The card is a dual-interface card; it has the standard six-contact chip and also has an antenna for RFID. There is an antenna coil 3 windings wide around the perimeter of the card and connects to the chip itself. So far I have not had any progress in getting it to contact an RFID reader, but hooking up an LED from the chip’s Vcc to ground causes it to flash when brought up to a BlackBerry Bold’s NFC antenna.

The chip has an answer-to-reset of 3B 76 13 00 00 80 62 07 41 81 80. When parsing this via the PysCard smart card library (http://smartcard-atr.appspot.com/parse?ATR=3B76130000806207418180) the site identifies it as a “Generic mass produced Motorola smart card” which doesn’t get me any further than what I already know; the Motorola logo is in the center of the darn chip!

Current attempts to make use of the card have been unsuccessful. It responds with 0x6D00 (unknown command) on pretty much every industry-standard command I try. The only command that doesn’t give this is 0xC0 00 00 00, which is the “GET RESPONSE” command which returns 0x6F00 (generic error, no details available).

Attempts to get the card running with PC/SC have not gone far. The system will acknowledge its existence and with a bit of work in the Registry, I can get it to register as a “Generic Motorola SmartCard”. That said, this still doesn’t get anywhere. Attempts to use it to store credential certificates causes Windows to say that ‘the card is not the one required for the current operation.’

I think that the card may simply be unprogrammed and is merely running a bootloader to install firmware on, but since many smart cards have mask ROM, there is a chance that the card is of pretty much no use. But hey, for 50 cents for a smart card it’s no big loss.
If you know anything else about this smart card, gimme a shout in the comments section. I’ll be posting more updates as I find out more about this peculiar piece of plastic.