LeeGibling
12-13-2005, 10:17 PM
Remember the old post from March 2005 (http://www.dssftp.com/forum/t41282-extending-the-attack-range.html), where I tried to find a predictable
(i.e. not influenced by random wait states) way to get one of the 2 card's answers:
ATR_DM, regular ATR
ATR_DM, ATR_DMby modifying only one of the intervals by no more than one clock cycle.
At that time it was still necessary to send a lot of bytes and intervals to
the card to get the desired effect. These could be reduced now significantly:
; tested with a 00'd P4 of the 0006 and 0008 series
21 ; packet length
10 ; set baud rate to 9600
01 ; power up
28 00 00 ; delay
01 ; power up again to enable the
; "Before Returning from ATR Hole"
20 03 b0 ; wait for the beginning of ATR_DM
80 ; receive byte 0x33 of ATR_DM
28 00 00 ; delay
8c ; receive remainder of ATR_DM
;---------------------------
c0 00 ; send one byte to the card
20 ca 60/61 ; delay 0xCA60 or 0xCA61 intervals
c0 00 ; send again one byte to the card to suppress
; random wait states
21 60 00 ; delay
c0 00 ; send one byte to the card
;---------------------------
10 ; set baud rate to 9600
80 ; receive first character of ATR or ATR_DM
28 00 00 ; delay
8c ; receive remainder of ATR or ATR_DM
00 ; packet end
R10
Setting the interval to 20 CA 60, the script returns:
TX Data : 21 10 01 28 00 00 01 20 03 B0 80 28 00 00 8C C0
00 20 CA 60 C0 00 21 60 00 C0 00 10 80 28 00 00
8C 00
RX Data : 20 1B 33 99 FF 7F 31 00 BB F5 F1 97 9B D7 71 2F
3F 78 13 25 03 40 B0 20 FF FF 4A 50 00
which is ATR_DM + Regular ATR,
but increasing it by one to: 20 CA 61 it produces the following:
TX Data : 21 10 01 28 00 00 01 20 03 B0 80 28 00 00 8C C0
00 20 CA 61 C0 00 21 60 00 C0 00 10 80 28 00 00
8C 00
RX Data : 21 1C 33 99 FF 7F 31 00 BB F5 F1 97 9B D7 71 2F
99 FF 7F 31 00 BB F5 F1 97 9B D7 71 2F 2F
which is ATR_DM + ATR_DM.
This gives us a better chance to identify the exact time when the UART picks up
the information about the random wait states, it will apply when sending the first
byte of the second ATR_DM.
(i.e. not influenced by random wait states) way to get one of the 2 card's answers:
ATR_DM, regular ATR
ATR_DM, ATR_DMby modifying only one of the intervals by no more than one clock cycle.
At that time it was still necessary to send a lot of bytes and intervals to
the card to get the desired effect. These could be reduced now significantly:
; tested with a 00'd P4 of the 0006 and 0008 series
21 ; packet length
10 ; set baud rate to 9600
01 ; power up
28 00 00 ; delay
01 ; power up again to enable the
; "Before Returning from ATR Hole"
20 03 b0 ; wait for the beginning of ATR_DM
80 ; receive byte 0x33 of ATR_DM
28 00 00 ; delay
8c ; receive remainder of ATR_DM
;---------------------------
c0 00 ; send one byte to the card
20 ca 60/61 ; delay 0xCA60 or 0xCA61 intervals
c0 00 ; send again one byte to the card to suppress
; random wait states
21 60 00 ; delay
c0 00 ; send one byte to the card
;---------------------------
10 ; set baud rate to 9600
80 ; receive first character of ATR or ATR_DM
28 00 00 ; delay
8c ; receive remainder of ATR or ATR_DM
00 ; packet end
R10
Setting the interval to 20 CA 60, the script returns:
TX Data : 21 10 01 28 00 00 01 20 03 B0 80 28 00 00 8C C0
00 20 CA 60 C0 00 21 60 00 C0 00 10 80 28 00 00
8C 00
RX Data : 20 1B 33 99 FF 7F 31 00 BB F5 F1 97 9B D7 71 2F
3F 78 13 25 03 40 B0 20 FF FF 4A 50 00
which is ATR_DM + Regular ATR,
but increasing it by one to: 20 CA 61 it produces the following:
TX Data : 21 10 01 28 00 00 01 20 03 B0 80 28 00 00 8C C0
00 20 CA 61 C0 00 21 60 00 C0 00 10 80 28 00 00
8C 00
RX Data : 21 1C 33 99 FF 7F 31 00 BB F5 F1 97 9B D7 71 2F
99 FF 7F 31 00 BB F5 F1 97 9B D7 71 2F 2F
which is ATR_DM + ATR_DM.
This gives us a better chance to identify the exact time when the UART picks up
the information about the random wait states, it will apply when sending the first
byte of the second ATR_DM.