1. No category

Cryptoworks FAQ By SlayraCkEr

Cryptoworks FAQ By SlayraCkEr
1
2
3
4
5
6
-
INFORMATION
DESCRIPTION SYSTEM
DESCRIPTION INSTRUCTION
STRUCTURE LOGICAL CARD
DECODE
DICTIONARY
Note: This is conversion type of Polish version.. There are not too additional new info here..
But new version coming soon.. With new instructions and new ACK infos.. Sorry for mistakes
about translating Polski to English….And please don’t forget..It made for educational purposes..
1 - INFORMATION
The present description has been based on work of many person, in majority anonymous, so, I will
not quote their here, because nothing neither it will be of service . Work has educational character,
it has been processed on base of experience less or more empirical. Anonymous author does not
take charge of it have been take advantage for that purposes the present informations, and so if
you will read further you take on it with (from) whole liability (pesponsibility) related - it.
Everywhere there where it is visible (be visible) “??” It means, that I haven’t some information too.
Everywhere there where it is visible (be visible) “**”It means, that description covers with (from)
to a great extent ISO 781
2 - DESCRIPTION OF SYSTEM
Briefly it is based on specification - system ISO/IEC-7816.
Scheme of instruction for card **:
[CLA INS P1 P2 LEN]
Where:
CLA
INS
Class of system there was in met (faced each other) by (through) I cards
always CLA
Instruction for execution
P1 and P2
LEN
Parameters of instructions
Length for instruction data which will be sent after instruction
Scheme of communication among card but CAMem :
> [CLA INS P1 P2 LEN]
< [ACK]
<>[DATA]
< [SW1 SW2]
Where:
>
<
<>
ACK
Data go for card
Data go for CAM
Data go depending on instruction for card or for CAMu.
Confirmation by card it, that instruction has become (stay) executed. In normal
conditions = ACK INS, it follows (step) instead of sometimes at once ACK SW1SW2 but
about it card.
DATA
- For card data < give > either (or) for CAMu.
SW1SW2 - Status OF card (kart) after instruction (**):
6B xx
- Bad parameter P1 or in instruction P2
6D 00
- Unknown instruction
6E 00
- Unknown class
6F 04
- If it was unidentified it technical error [ 00 [ be 6F
67 xx
- In instruction - as it expect LENA (LINEN) xx
90 00
- Errand executed, OK
94 00
- It has not been chosen - no FILE
94 02
- Beyond range -, end for dispatch -nothing data < give > ( e.g. in instruction ) B8
94 04
- It find by card - instruction rejected ( FILE, it find ) kordu
98 04
- Bad PIN code
98 05
- Enumerated (accounted for) signature - evil (poorly) < evil >
98 40
- Limit surpass introduced - ( 6x ) verification evil (poorly) < evil > PINu
9F xx
- In instruction – A2 there is length in next instruction - xx B2
9F 11
- There is for instruction length - change " " – OK ( FILES C0, informations of can collect
which (who) ) FILES
9F 1C
-
- In instruction – 4C; there is length in next instruction C0
ANSWER TO RESET: ATR (**) :
Card before beginning of cooperation with CAM there is - " RESET” and in (to) answer on reset it
returns - ATR, which defines parameters of transmission, version of card etc.
There is for typical following (step) CRYPTOWORKS ATR :
3B 78 12 00 00 54 C4 00 07 8F F1 [90 00] - Card (kart) type 0 ( oldest)
3B 78 12 00 00 54 C4 01 07 8F F1 [90 00] - Card (kart) type 1 ( oldest)
3B 78 12 00 00 54 C4 02 07 8F F1 [90 00] - Card (kart) type 2 ( oldest)
| |
Version of card (kart) <------+ +-----> Numerator can accept introduced “for rear” from
range.
value 00-07 amount attempt (test; probation
erroneously PIN.)
However, they are unsuitable :
3B 78 12 00 00 54 C4 00 07 FF FF [6F 04]
3B 78 12 00 00 54 C4 01 07 FF FF [6F 04]
3b 78 12 00 00 54 C4 02 07 FF FF [6F 04]
And they result from employment behind low most often supplied unsuitable programming- e.g.
from battery , tension..
There is with such on card all instructions almost answer = sole instruction which correctly accept
(catch on) ATRem SW1SW2 [6F 04] instruction 58 .
Perhaps,, that there is she (it) for state (condition) responsible, card (kart) is placed in that with
such ATRem..
Note : From only a bit distinguish different instruction 58 / instruction 48, which can become
(stay) in the course of programing " lost "..
Cards (karts) be placed with (from) in (to) most probably ended
(end) [ 04 ] – „ mode service ” ATR 6F. Except instruction, which is available exert (show) in mode
presence of instruction number „
normal ” card (kart) 22,88,D2 and on which (who) GIVE also
answer = SW1SW2 6F04, however, that suggests, that there can be available in else other mode..
Card (kart) has with original following (step) parameter communication tunerem :
Parameters for RESET
Parameters for (after) RESET
9600,e,8,2
9600,e,8,2
Card (kart) has with (from) following (step) parameter CAM CRYPTOWORKS :
Parameters for RESET
9600,e,8,2
Parameters for (after) RESET 19200,e,8,2
It happens , sometimes, that card is served rare phenomenon by with other speed of transmission
tuner - e.g. 8661bd..
3 - DESCRIPTION OF INSTRUCTION
They are identified by card in mode of normal work following (step) instruction ( ) :
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
Instruction
"20" – Verify PIN (**)
"24" - Change PIN
"26" - Disable PIN (??)
"40" - (??) (Soon…)
"42" - Add/Delete Record (For single card “kart” )
"44" - Create Record (??)
"48" - Add/Eelete Record (For group of card “kart”)
"4A" - (??) (Soon…)
"4C" - Ask
"58" - Dump Eeprom (??)
"C0" - Get Response (**)
"A2" - Seek (**)
"A4" - Select File (**)
"B0" - Read Binary (**)
"B2" - Read Records(s) (**)
"B8" - Read Serial Data (??)
Instruction “20” - Verify PIN - It check user PIN (**)
Format
>A4 20 00 00 04
: Verify Pin
<ACK
>3x 3y 3z 3q
: In format 3x 3 3z 3q where it PIN to “xyzq”
<SW1SW2
Note : It is possible to read in on erroneous result of operation of instruction from card 58 PIN.
Instruction allows to read in with (from) also _ _ 07 B2 3F20 2F11 PIN.
Instruction “24” - Change PIN - It change user PIN (**)
Format
>A4 24 00 00 08
: Change Pin
<ACK
>3x 3y 3z 3q 3a 3b 3c 3d : Old "xyzq" New "abcd"
<SW1SW2
Note : Forgotten ( 9804 ) and it is possible blocked ( 9840 ) “wyzerować " instruction 42 PIN .
Instruction “26” - Disable PIN or Verify PIN2 (**)
Format
>A4 26 00 00 04
: Disable Pin (??)
<ACK
>3x 3y 3z 3q
: In format PIN 3x 3y 3z 3q where it PIN "xyzq"
<SW1SW2
Note :
Instruction “40”
Format
Note :
- It requires instruction application of data…
Instruction “42” - It adds or it erases registration in compound (composite) records for
concrete definite card by [ 80 05 ]
Instruction depending on served data :
Registration from card with dates of entitlements,
On card user PIN
It adds registration with dates of entitlements
Instruction 42 is addressed to concrete card identified by in (to) served [ 80 05 ].
Instruction 42 is signed by behind “assistance" CAM 8 Byte (64bit) SIGNATURES, confirming
correct source origin instruction. SIGNATURE in cards type 0, 1 and 2 there is sole flaw of this
system in present moment. Do not have these cards procedures precluding signature calcing
(Answer of procedure dtt+a, has different times dtt+b, dependent on it, if (or) it serve correct data
if (or) not).
Format :
>A4 42 00 00 xx
>28 00 yy
: Certainly < obvious > it in instruction xx length data ACK
: It length yy xx-3, because they have gone on 2 , 28 00 byte, but byte on
LINEN 1 "yy"
>A1 L1 [DATA]
>A2 L2 [DATA]
>...
>An Ln [DATA]
>DF 08 [sygnatura]
<SW1SW2
By the reason of it, that length of instruction can be alternate (changeable; variable) - xx and can
be different yy A1L1, A2L2...AnLn it for instruction next - data < give >, with (from) it, that there
is name of cell adjust me An nano but it in length data < give > it Ln nano or in cell. All cells are
placed in proper FILES (**), and such informations include (reach; make) as card (kart) NrSeryjny,
dates of entitlements etc. etc. about later it.

Examples of instructions of 42 :
Cancellation of concrete registration with dates of entitlements about status 20 :
Format
>A4 42 00 00 1F
<ACK
>28 00 1c
: Byte Required
>80 05 sn sn sn sn sn
: Serial Number
>83 01 ff
: Provider ID
>89 01 0A
: Mode of work of card
>93 03 gg hh hh
: gg- Status hh hh- Chid For Identification Provider
>DF 08 ss ss ss ss ss ss ss ss : 8 Byte Signature
<SW1SW2
Cancellation of all registration about status for definite date 20 (Independently of ChID) :
Format
>A4 42 00 00 1E
<ACK
>28 00 1B
: Byte Required
>80 05 aa bb cc dd ee : Serial Number
>83 01 ff
: Provider ID
>89 01 0B
: Mode of work of card
>94 02 gg gg
: Date, registration have become (stay) for all which (who) wykasowane
(Have registration before this “date” date of entitlement)
>DF 08 [Signature]
: 8 Byte Signature
<SW1SW2
In the following way it is possible to transform date from form HEX :
E.g. :
Date has such 16A9 (09.05.2001) set a BIN Form : ( 0001011010101001 )
We group it in match 7 bits - 4 bits - 5 bits
: (0001011 0101 01001)
And we convert groups for form DECIMAL
: ( 11
5
9 )
Value will suffice (will enough) to add for first group 1990 and mum :
: ( 2001 05 09 )
Dropping Pin CODE : In polish cards (karts) after this operation pin dropped.
Format
>A4 42 00 00 1D
<ACK
>28 00 1A
: Byte Required
>80 05 aa bb cc dd ee
: Serial Number
>83 01 ff
: Provider ID
>8E 02 gg gg
: Current date
>97 00
: (??)
>DF 08 [Signature]
: 8 Byte Signature
<SW1SW2
With dates of entitlements registration added : Addressed to concrete card
Format
>A4 42 00 00 3A
<ACK
>28 00 37
>80 05 aa bb cc dd ee
: Serial Number
>83 01 ff
: Provider ID
>8C 03 gg hh hh
: Status + CHID
>8D 04 jj jj kk kk
: Entitlement belong in that range of date (Begin – Finish)
>92 01 01
: (??)
>D5 10 [DATA]
: With name of package with (from) 12 bytes + 4 additional byte VER
>D6 01 20
: (??)
>DF 08 [Signature]
: 8 Byte Signature
<SW1SW2
Instruction “44” - Change of registration on card registration / added, exact this allocation
(destination) instr. It is not bright (plain).
Instruction is sent for all cards of given providers identified by [ 83 01 ] !!
It is used instruction for introduction of registration with status A0 they be as (serve) - which
(who) nothing logical, because operator uses registration with status normally 20. Probably,
instruction used for initialization of card .
Format
Analogous as for instr.42
>A4 44 00 00 xx ; xx from card serial number
<ACK
>28 00 yy
: It length yy xx-3, because they have gone on 2 , 28 00 byte, but byte on
LINEN 1 "yy"
>A1 L1 [DATA]
>A2 L2 [DATA]
>...
>An Ln [DATA]
>DF 08 [Signature]
<SW1SW2

Example of instruction :
They are not changed dates of entitlements despite completion of instruction in registration on
card (kart) for given answer = 9000 sw1sw2 ChiD. (In distinguishing from instr.48)
It is used instruction for addition of registration too. Perhaps, this way, it acts, that if does not
have registration it makes registration on card ,if registration is, then card (kart) answers = 9000
SW1SW2 and registration leaves without changes.
>A4 44 00 00 43
<ACK
>28 00 40
>83 01 aa
>89 01 80
>8C 03 ss cc cc
>8D 04 ee ee ff ff
>92 xx [DATA]
>D5 10 [DATA]
>DF 08 [Signature]
<SW1SW2
: S.M.
: Provider ID (Cancellation (appealing) for other key - other than in (to)
instr 42,4C and 48)
: Mode of work of card (??)
: ss-status , ccdd ChannelID – Identifier. There has to be on which (who) –
package operation onana.
: Entitlement belong in that range of date (Begin – Finish)
; Channel Bitmap
; With name of package with (from) 12 bytes + 4 additional byte VER
Instruction “48” - It adds or it erases registration in compound records by card definite
[ 80 04 ] grupu and [ DE 20 ], it is as..
Instruction depending on served data :
Registration from card with dates of entitlements
It adds registration with dates of entitlements
It changes keys on card
Note : Contents of instruction can be coded ..
Form - analogous as in instruction 42 and 44 instruction is addressed to chosen group of
definite card by with in [ 80 04 ] card target (incoming) described [ DE 20 ] nanos.
Example:

Cancellation of registration with status after date 20 outdated
>A4 48 00 00 3F
<ACK
>28 00 3C
>80 04 aa bb cc dd
>83 01 ee
>89 01 0B
>94 02 ff ff
>DE 20 [DATA]
: S.M.
: First bytes from serial number 4 (Address of group of card)
: Provider ID+KeyIndex (E.g. : C is Digiturk and 0 is Main 4 is Spare)
: Mode of work of card (??)
: Current date 1 month (They are erased by operator about month for rear
registration)
: (CUSTWP bitmap) Always ful fill (perform) FFami, because it concerns all
cards in group
>DF 08 [Signature]
<SW1SW2

For card registration added < addition > - (FILE 1Fxx_0F20) If registration it already exist
, not add new..
By operator for change of date with entitlement for packages use
If registration it with other dates exist change date
>A4 48 00 00 72
<ACK
>28 00 6F
>80 04 aa bb cc dd
>83 01 ee
>8C 03 ff gg gg
>8D 04 ii ii jj jj
>92 xx [DATA]
>D5 10 [DATA]
>D6 08 [DATA]
>DE 20 [DATA]
: First bytes from serial number 4 (Address of group of card)
: Provider ID+KeyIndex (E.g. : C is Digiturk and 0 is Main 4 is Spare)
: ff-status , gggg ChannelID – Identifier. There has to be on which (who) –
package operation onana.
: Entitlement belong in that range of date (Begin – Finish)
: Channel Bitmap
: With name of package with (from) 12 bytes + 4 additional byte VER
: Name of provider
: (CUSTWP bitmap) Always ful fill (perform) FFami, because it concerns all
cards in group (ShortName: ChanBitmap)
>DF 08 [Signature]
<SW1SW2

For card registration added < addition > - (FILE 1Fxx_0F00) If registration it already exist
, not add new..
By operator for change of date with entitlement for use software-download
If registration it with other dates exist change date
>A4 48 00 00 65
<ACK
>28 00 62
>80 04 aa bb cc dd : First bytes from serial number 4 (Address of group of card)
>83 01 ee
: Provider ID+KeyIndex (E.g. : C is Digiturk and 0 is Main 4 is Spare)
>8C 03 ff gg gg
: ff-status , gggg ChannelID – Identifier. There has to be on which (who)
package operation onana.
>8D 04 ii ii kk kk
: Entitlement belong in that range of date (Begin – Finish)
>8F 01 xx
: (??)
>91 01 yy
: (??)
>D5 10 [DATA]
: With name of package with (from) 12 bytes + 4 additional byte VER
>D6 08 [DATA]
: Name of provider
>DE 20 [DATA]
: (CUSTWP bitmap) Always ful fill (perform) FFami, because it concerns all
cards in group (ShortName: ChanBitmap)
>DF 08 [Signature]
<SW1SW2
Last byte of number of serial card (Supplement [ 80 04 ] for [ 80 05 ] ) It is carried by card on
base of contents in [ DE 20 ] following (step) manner : 32 Bytes are placed (in 32*8 bit = 256 bit)
imortant defines each alight bits CUSTWP, or last byte number serial complementary..
Numeration of bit grows in range from 0 for 255 from right part :
ADR. FF FE FD FC FB FA F9 F8 : F7..... 0A 09 08 : 07 06 05 04 03 02 01 00 HEX
[DE 20] 1 0 1 1 0 0 1 0 : 1..... 0 1 1 : 1 0 1 1 0 0 1 1 BIN
Or, that cards from group about address [ 80 04 ] and to serial about value end (end) byte Number
FF, FD, FC, F9, F7...09, 08,07,05,04,01 and execute guilty 00 this instruction and report correct
execution..

Change weaves on card (kart) - Instruction may be coded :
>A4 48 00 00 52
<ACK
>28 00 4F
>80 04 aa bb cc dd
>83 01 ee
>84 01 ff
>C8 41 [DATA]
<SW1SW2
: First bytes from serial number 4 (Address of group of card)
: Probably, it indicate which keys be code C8_41 (Provider ID Normally)
: Probably, it indicate which keys be code part of C8_41 (Last Part : 41)
: Code data
It is possible to find in structure credible C8_ 41:
-
CustWP Bitmap
-
Key
-
ProvID+KeyIndex
-
Signature
: Bytes with indication 2 nano and lengths CUSTWP [DE 20]
+ 32 byte CUSTWP
: Bytes with indication 2 nano and lengths of keys + [xx 10]
+ 16 byte
: Bytes with indication 2 nano and lengths nano [83 01] +
ProvID+KeyIndex, Change concerns which (who); can value
88,89,8A,8B And 8C,8D,8E,8F
: Bytes with indication 2 nano and lengths signature [DF 08]
It designation provider basic ProviderID 88
(KeyIndex 0)
It designation provider subsidiary ProviderID 8C (KeyIndex 0 )
And these designations (88 and 8C) answer designations files 1F88 and 1F8C compound records be
placed to which 1F8C.
Meaning of bit (??) to ProviderID+IndexKey nano [83 01] :
hex 76543210 bin
88 – 10001000
89 – 10001001
8A - 10001010
8B - 10001011
8C - 10001100
8D - 10001101
8E - 10001110
8F - 10001111
Bit 2, It defines, which weaves from 2 arrays; basic if (or) has be use subsidiary
Bit 1 and 0, It weaves within the confines of array keyindex
Bit 7 for 3, This designation of provider, keys belong to which it..
Identical take a stand in present moment steam of (couple of) key 88 and 8A, 89 and 8B, 8C and
8E and 8D and 8F.
I.e., that execution of instruction 4C from DB_10 compound from zeros, return causes with
instruction C0 following (step) data :
88, 8A
89, 8B
8C, 8E
8D, 8F
–
–
–
–
16
80
CF
E1
23 C2 5A fA 1F 13 29
C0 2F 2F 75 CA B1 F0
E5 37 3C E8 70 DB 50
0B B0 71 93 4F 3A C1
After last share of provider in days 30.07-2.08, which relied on switching in instruction 4C
(Verification of entitlement) with 88 for 89 [nano 83_01] and on change key 89/8B for cards
Recognized too lost needed, These such cards (karts) return other value than above-mentioned..
Instruction “4A” - (??) It requires instruction application of data
Instruction “4C” - Question about entitlement for package :
Format:
>A4 4C 00 00 2E
: About constant length rather
<ACK
>00 00 2B
: Everything S.M. There is instead of 28 00 only 00 00 here
>A1 L1 [DATA]
>A2 L2 [DATA]
>...
>An Ln [DATA]
>DF 08 [Signature]
<SW1SW2
Example:
>A4 4C 00 00 2E
<ACK
>00 00 2B
>83 01 aa
>8C 03 bb cc cc
>8E 02 dd dd
>C5 01 00
>DB 10 [DATA]
:
:
:
:
:
..
Provider ID+KeyIndex (E.g. : C is Digiturk and 0 is Main 4 is Spare)
Status + CHid
Current Date
(??)
Encoded key which (sesion key) will be of service after decoding instr C0
to for decoding flow of data with image.
>DF 08 [Signature]
<9F 1C
: SW1SW2 allways 9F1C (In answer 1C in instruction expect byte C0)
DB10 It two - key 8 byte in decode - independently instruction. C0 In first 8 bytes in next 8 bytes
change - change not possible .
Instruction "58” - MEMORY DUMP (Instruction returns data) :
“58” Instructions by card accept :
A4 58 00 00 1C - It returns byte data 1C (28 dec.) (It is possible to find elements here ATR)
A4 58 00 01 08 - It returns 8 bytes of data.
“LEN=255” It is possible to use on some cards:
A4 58 00 00 FF - Then, it returns data FF where among others, it is possible to find PIN, Elements
of ATR, structures it on card from this erroneous attendance of (service activity
of) instruction describing result FILES.
Interpretation in data “Dump (Partial) EEPROM” :
Address - Meaning
10h
- Fragment ATR - Value 8F, which totals (take away; amount to) on cards with changed
ATR ‘s last FF bytes.
17h
- Fragment ATR - Value F1, which totals (take away; amount to) on cards with changed
ATR ‘s last FF bytes.
60h
- Numerator Pin Code 2
61h
- Numerator Pin Code 1
62h - 65h
- Pin Code 1
66h – 69h
- Pin Code 2
70h
- Description file 3F20 (8 or 9 bytes)
79h
- Description file 2F11 (8 or 9 bytes)
82h
- Description file 2F20 (8 or 9 bytes)
8Ah
- Description file 2F02 (8 or 9 bytes)
94h
- Description file 2F03 (8 or 9 bytes)
9Dh
- Description file 2F01 (8 or 9 bytes)
A6h
AFh
B8h
C1h
CAh
D3h
DCh
E5h
EEh
F7h
-
Description
Description
Description
Description
Description
Description
Description
Description
Description
Description
file
file
file
file
file
file
file
file
file
file
1F88 (8 or 9 bytes)
1F8C (8 or 9 bytes)
0E11 (8 or 9 bytes)
0E10 (8 or 9 bytes)
0E20 (8 or 9 bytes)
0E21 (8 or 9 bytes)
0E31 (8 or 9 bytes)
0E30 (8 or 9 bytes)
0F00 (8 or 9 bytes)
0F20 (8 or 9 bytes)
Instruction "C0" - GET RESPONSE (**)
Answer for question about (4C) answer for question about for package cryptoword. For right now
analyse or after instruction A4, it serves current structure on card.(Without Ins4C)
Format :
After instruction 4C :
>A4 C0 00 00 1C
<ACK
>DB 10 [DATA] ; Weave to decoding image with it (session key) , that if does not have it return
in entitlement (As to instructions 4C) same data that obtained (gotten)
instruction 4C, if entitlement is key decoded returns..
>DF 08 [Signature] ; Signature become dependent on it if (or) entitlement for receipt :
They are
: DF 08 70 00 00 80 00 00 00 00 If (or) entitlement
Does not have : DF 08 70 01 00 00 00 00 00 00
<SW1SW2
As information of structure current FILE :
(Previous setup behind assistance FILE instruction A4)
>A4 C0 00 00 11
<ACK
>DF 0F [DATA]
<SW1SW2
Instruction "A2" - SEEK (**) : Change of position in FILES (??)
It makes after previous setup of instruction A4 files for setup of SEEK index of (indicator of) files
lecture for instruction inside used B2.
Format :
>A4 A2 P1 P2 01 ; P1,P2 Parameters of instructions
<ACK
>ofs ; Slip of (Probably, inconditional) index (1 Byte)
<9F bb ; Always = SW1 9F, it for lecture amount of byte instruction B2
Instruction "A4" – SELECT FILE (**) : Change Files
It puts FILES(**) has definite structure according to specification ISO – card.
Format :
>A4 A4 00 00 02
<ACK
>aa aa ; Number Files
<SW1SW2 ; If it put correctly FILES to : 9F 11
FILES : It see chapter 4. STRUCTURE
Instruction "B0" – READ BINARY (**) : Lecture binary data (??)
Address of record is put instruction A4 (SELECT FILE)
Format :
>A4 B0 P1 P2 LEN ; P1,P2 - Parameters of instructions
<ACK
<DATA
<SW1SW2
Example :
>A4 A4 00 00 02
<A4
>2F 11
<9F 11
>A4 B0 00 00 02
<B0
<aa bb
<90 00
Instruction "B2" – READ RECORDS (**) : It read in record
Address of record is put instructions A4 (SELECT FILE) and A2 (SEEK)
Format :
>A4 B2 P1 P2 LEN ; P1,P2 - Parameters of instructions
<ACK
>OFS LEN [DATA}
<SW1SW2
OFS : It in (to) put instruction offset files A2 . (It must be put instruction previously files A4, if it is
not put before directly files A2, then A2 and last time put concern for B2 files.

Some Examples :
Example - Lecture card SerialNumber :
(Lecture of single record)
>A4 A4 00 00 02
>A4
>2F 01
>9F 11
;
;
;
;
SELECT FILE
ACK
FILE
FILE OK
>A4 A2 00 00 01
>A2
>80
>9F 07
; SEEK
; ACK
; Offset
; Offset OK , LEN=07 (offset+len+5bajtów danych)
>A4 B2 00 00 07
>B2
>80 05 0102030405
>90 00
;
;
;
;
READ RECORD
ACK
80 - offset, 05-off.len. 0102 03 0405 – Serial Number
OK
Example - Lecture of registration with entitlement :
(Lecture many record)
>A4 A4 00 00 02
>A4
>1F 88
>9F 11
>A4 A4 00 00 02
>A4
>0F 20
>9F 11
>A4 A2 01 00 05
>A2
>8C 00 00 00 00
>9F 42
>A4 B2 00 00 42
>B2
>83 01 xx
>8C 03 ss ch ch
>D5 10 [DATA]
>8D 04 [aa aa bb bb]
>92 20 [DATA]
>90 00
; Lecture of first record
>A4 B2 00 01 42
>B2
>83 01 xx
>8C 03 ss ch ch
>D5 10 [DATA]
>8D 04 [aa aa bb bb]
>92 20 [DATA]
>90 00
; Lecture of next record
;
;
;
;
;
;
;
;
;
;
Provider ID + Key Index
SS -status CH CH - CHID
12 Byte With title of package + 4 Byte Version (Exp :00...71)
AA AA - Begin Date , BB BB – End Date
(??)
Provider ID + Key Index
SS -status CH CH - CHID
12 Byte With title of package + 4 Byte Version (Exp :00...71)
AA AA - Begin Date , BB BB – End Date
(??)
Instruction [A4 B2 00 01 42]
It is repeated long so, till card will not return answer to 94 02
>A4 B2 00 01 42
>94 02
Instruction "B8" – Read Serial Data (??)
Format : Likewise as in B2
Example : Lecture Serial Data
>A4 A4 00 00 02
<A4
>3F 20
<9F 11
>A4 B8 00 00 0C
<B8
>DF 0A [DATA]
<90 00
>A4 B8 FF FF 0C
<B8
>DF 0A [DATA]
<90 00
Instruction [A4 B8 FF FF 0C]
It is repeated long so, till card will not return answer to 94 02
4 - STRUCTURE LOGICAL CARD (KART)
FILES - They can different type - According to ISO
It is possible to read in informations of each structures instruction FILE C0.
FILES:
(**)
3F20
|_2F01
| |
| |_1F88
| | |
| | |_0F00
| | |
| | |_0F20
| | |
| | |_0F40
| | |_0F60
| | |_0E10
| | |_0E11
| | |_0E10
| | |_0E20
| | |_0E21
| | |_0E30
| | |_0E31
| |
| |_1F8C
|
|_0F00
|
|_0F20
|
|_0F40
|
|_0F60
|
|_0E10
|
|_0E11
|
|_0E10
|
|_0E20
|
|_0E21
|
|_0E30
|
|_0E31
|
|_2F02
|_2F03
|_2F11
|_2F20
- (MF) Shrewd FILE
- (EF) (Lecture A2-B2)
- (DF) Provider File 88 (Lecture instruction B2)
- (CF) Informations of subscriptions Download (Lecture instruction B2,
Record compound)
- (CF) Informations of subscriptions for provider 88 (Lecture instruction B2,
Record compound)
- (CF)
- (CF)
- (CE)
- (CE)
- (CE)
- (CE)
- (CE)
- (CE)
- (CE)
- (DF) Provider File 8C (Attendance and contents as for 1F88)
-
(EF)
(EF)
(EF) (BINARY DATA – Lecture instruction B0)
(EF)
Contents of record:
FILE 3F20
(Setup A4, Lecture [A4 B8 P1 P2 0C] Where P1P2=0000 For first lecture and for
next = P1P2 FFFF, for answer from card = 9402 SW1SW2)
RECORD OF SYSTEM
DF 0A
- Information of structure on card (kart) files
FILE 3F20_2F01 (Setup A4-A2, Lecture B2)
-----------------------------RECORD OF SYSTEM
80 05
- Serial Number of Card
81 05
9E 40
9F 01
- Provider ID
C0 10
- With name of provider String
C3 05
C4 05
C5 01
D1 02
- Identification for Provider (Or Provider group. Exp: Both C0 and C4 ) (??)
D4 02
FILE 3F20_2F01_1F88
-----------------------------FILE 3F20_2F01_1F88_0F00 (Setup A4, Setup [A4 A2 01 00 03][A2][83 01 88] ,
Lecture [A4 B2 00 00 26] )
Informations of entitlements for download;
Record compund :
83
01
- Provider ID
8C
03
- 1 Byte Status + 2 Byte CHID.
D5 10
- 12 Byte Package Name + 4 Byte Version.
8D 04
- Range of date of subscription
8F
01
91
01
FILE 3F20_2F01_1F88_0F20 (Setup A4-A2 , ( Seek: [A4 A2 01 00 05] [A2] [8C 00 00 00 00]),
Lecture [A4 B2 P1 P2 42] For time SW1SW2=9402)
Informations of subscriptions for provider 88
Record Compound :
83
01
- Provider ID
8C
03
- 1 Byte Status + 2 Byte CHID.
D5 10
- 12 Byte Package Name+ 4 Byte Version.
8D 04
- Range of date subscription
92
20
- Bitmap (??)
FILE 3F20_2F01_1F88_0F40 (Setup A4-A2)
FILE 3F20_2F01_1F88_0F60 (Setup A4-A2)
FILE 3F20_2F01_1F88_0E10 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
00
FILE 3F20_2F01_1F88_0E11 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
98
02
99
04
9A
04
9B
0C
9C
01
9D
02
9F
0D
D6
10
- String of Provider Name
D9
04
FILE 3F20_2F01_1F88_0E20
(Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
07
07
00
24
00
39
00
FILE 3F20_2F01_1F88_0E21 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
07
07
00
24
00
3F
00
FILE 3F20_2F01_1F88_0E30 (Setup A4-A2, Lecture B2)
RECORD
00
03
07
OF SYSTEM
00
45
00
-
FILE 3F20_2F01_1F88_0E31 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
07
07
00
24
00
3F
00
FILE 3F20_2F01_1F8C
FILE 3F20_2F01_1F8C_0F00
FILE 3F20_2F01_1F8C_0F20 (Informations of subscriptions for provider 8C)
FILE 3F20_2F01_1F8C_0F40 (Setup A4-A2)
FILE 3F20_2F01_1F8C_0F60 (Setup A4-A2)
FILE 3F20_2F01_1F8C_0E10 (Setup A4-A2)
RECORD OF SYSTEM
00
00
-
FILE 3F20_2F01_1F8C_0E11 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
98
02
99
04
9A
04
9B
0C
9C
01
9D
02
9F
0D
D6
10
- String of Provider Name
D9
04
FILE 3F20_2F01_1F8C_0E20 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
07
07
00
24
00
44
00
FILE 3F20_2F01_1F8C_0E21 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
07
07
00
24
00
35
00
FILE 3F20_2F01_1F8C_0E30 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
00
03
3A
07
00
FILE 3F20_2F01_1F8C_0E31 (Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
00
07
07
00
24
00
35
00
FILE 3F20_2F02
(Answer causes setups of indices from card attempt
instruction A2 SW1SW2 = 98 04 (Erroneous PIN) )
FILE 3F20_2F03
(Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
C0
01
FILE 3F20_2F11
(Setup A4-A2, Lecture B2)
RECORD OF SYSTEM
07 (07)-(02) - Alternate (changeable; variable) length of record – Each unsuccessful verification
for PIN.Abbreviation causes about ; First byte includes numerator of attempt of
introduction ended error PIN (From rear ”count”)Numerator for value after correct
verification 7 attemp of enter PIN; bytes include next 4 PIN (Figures preceded
figure 3 PIN)
FILE 3F20_2F20
(Setup A4-A2, Lecture B2) About alternate structure File ?!?!?
RECORD OF SYSTEM
(15
9E)
- Record was on card records describing FILES and does not have it already ?!?!
16
A5
- Records on card describing FILES
5 - DECODE
Decoding of image is based about 2 instructions there is question about entitlement for decoding
given package - which instruction 4C, and instruction C0 decoded key to uncoding image defines
entitlement - which and decoded key to uncoding image returns..
Key to decoding image is included in to equal [DB 10] instruction 4C(Encoded) as well as C0
(Encoded). If record is recorded (written down) on card with entitlement, which answers
parameters in instruction 4C, it returns decoded pull instruction C0 [DB 10} and inform of correct
entitlement signature [DF 08] : ”70 00 00 80 00 00 00 00”.
If then, it is returned on card without change such registration not has [DB 10] - The same as in
instruction 4C, but signature informs of lack of entitlement : ”70 01 00 00 00 00 00 00”
Key consists in from two [DB 10] , independent part of 8 byte.It does not involve change in first 8
bytes in next 8 bytes change. Contents is independent [DB 10] neither from date 8E_02 with
instruction 4C, Neither from id of package included in 8C_03 and instruction 4C.
Key to enumeration is defined by in 83_01 keyindex. Both halves are encoded to same manner
[DB 10] and same key.
That interesting - It is used all of 8 byte code twice (With exception of several first instruction 4CC0 for (after) Reset right now.) instructions draw it :P simply than explain it see  look below :
4C:DB10:76A9CBDB69BC9DFF 112E7E1B01D0544A
C0:DB10:C5E9626A06A36A89 E27E0E887B2B561A
(2nd Key is right 112E....)
(2nd Key is right E27E.)
4C:DB10:D8C207F70A474B22 112E7E1B01D0544A
C0:DB10:A26A8312688FA586 E27E0E887B2B561A
(Twice is right this time.)
(Twice is right this time.)
4C:DB10:D8C207F70A474B22 A89E00525F6FDC92
C0:DB10:A26A8312688FA586 DE913C7463E5685B
(1st Key is right. D8C2..)
(1st Key is right. A26A..) BlaBla
4C:DB10:393B904C0D67CA84 A89E00525F6FDC92
C0:DB10:0E5FA3B5DD9F813D DE913C7463E5685B
4C:DB10:393B904C0D67CA84 A48471283AD79E7E
C0:DB10:0E5FA3B5DD9F813D 57BC3EF6D58B777A
4C:DB10:632CF2C0448D561F A48471283AD79E7E
C0:DB10:BA16901BA77E9D4B 57BC3EF6D58B777A
4C:DB10:632CF2C0448D561F 543E229277B44075
C0:DB10:BA16901BA77E9D4B D77A93AE1BC8BB46
Written English Version By SlaraCkEr.Sorry for mistakes.This is public version’s conversion type...

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz