|
IC电话卡彻底解密(2)
--------------------------------------------------------------------------------
声明:本资料仅从技术的角度全面探讨IC卡、IC电话卡及其安全性,由此引发的各种争议或个人、集体利用本资料做任何不正当用途本人概不负责。
--------------------------------------------------------------------------------
Ⅲ)电气参数:
+--------+------+------+------+
| Symbol | Min | Max | Unit |
+----------------------+--------+------+------+------+
| Supply voltage | Vcc | -0.3 | 6 | V | 电源电压
+----------------------+--------+------+------+------+
| Input voltage | Vss | -0.3 | 6 | V | 输入电压
+----------------------+--------+------+------+------+
| Storage temperature | Tstg | -20 | +55 | | 储存温度
+----------------------+--------+------+------+------+
| Power dissipassion | Pd | - | 50 | mW | 功率
+----------------------+--------+------+------+------+
直流参数:
+--------+-----+-----+-----+------+
| Symbol | Min.| Typ.| Max.| Unit |
+---------------------------+--------+-----+-----+-----+------+
| Suplly current | Icc | - | - | 5 | mA | 电源电流
+---------------------------+--------+-----+-----+-----+------+
| Input Voltage (low) | Vl | 0 | - | 0.8 | V | 输入电压(低)
+---------------------------+--------+-----+-----+-----+------+
| Input voltage (high) | Vh | 3.5 | - | Vcc | V | 输入电压(高)
+---------------------------+--------+-----+-----+-----+------+
| Input current R | Ih | - | - | 100 | uA | 输入电流(复位)
+---------------------------+--------+-----+-----+-----+------+
| Input current Clk | Il | - | - | 100 | uA | 输入电流(时钟)
+---------------------------+--------+-----+-----+-----+------+
| Output current (Low) | Iol | - | - | 10 | uA | 输出电流(低电平)
+---------------------------+--------+-----+-----+-----+------+
| Output current (High) | Ioh | - | - | 0.5 | mA | 输出电流(高电平)
+---------------------------+--------+-----+-----+-----+------+
动态参数:
+--------+------+------+------+
| Symbol | Min. | Max. | Unit |
+----------------------+--------+------+------+------+
| Pulse duration | tr | 50 | - | us |
| R address reset | | | | | 复位时复位脉冲持续时间
+----------------------+--------+------+------+------+
| Pulse duration | ts | 10 | - | us |
| R write | | | | | 写位时复位脉冲持续时间
+----------------------+--------+------+------+------+
| High level Clk | th | 8 | - | us | 时钟高电位时间
+----------------------+--------+------+------+------+
| Low level Clk | tl | 12 | - | us | 时钟低电位时间
+----------------------+--------+------+------+------+
| Write window | Twrite | 10 | - | ms | 写位时间
+----------------------+--------+------+------+------+
| Erase window | Terase | 10 | - | ms | 擦除时间
+----------------------+--------+------+------+------+
| | tv1 | 5 | - | us |
+----------------------+--------+------+------+------+
| | tv2 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv3 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv4 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv5 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv6 | 5 | - | us |
+----------------------+--------+------+------+------+
| | tv7 | 5 | - | us |
+----------------------+--------+------+------+------+
| | tv8 | 10 | - | us |
+----------------------+--------+------+------+------+
Ⅳ)读卡器电路图:
简易读卡器电路图(利用电脑打印口,可读一类、二类卡)
外接5V (可选)
5V o------,
| / T2 PNP d13 r7 10
0V o--, | / BC 177 |\ | _____
| | ,-------o/ o--*------. E C .--| >+-[_____]--------,
__+__ | | | \ / |/ | |
\\\\\ | __|__ Batery | \ / |
| - 22.5V | --------- |
....... | | | _____ | _____ |
: | __+__ +--[_____]--*--[_____]--, |
D2 : | \\\\\ r6 150k r5 15k | |
4 o-------|---------------------------*------------------|-------------, |
: | | r3 220k / C | |
Ack : | | _____ |/ T1 - NPN | |
10 o------|--------. '--[_____]-*---| BC107 | |
: | | _____ | |\ | |
: ,-, ,-, +--[_____]-' \ E | |
: | |r2 | |r1 | r4 390k | | |
: | |220 | |22k __+__ __+__ | |
: |_| |_| \\\\\ \\\\\ | |
: | |\ | | | |
: *--| >+--|----------------*----------------------------------|--*
: | |/ | | ,-----|-----------------------------, | |
: | d1 | | | ,----------,----------, | | |
: | | | *---|--* Fuse | Reset *--|---' | |
: | | | | |----------|----------| | |
D0 : | | | ,-|---|--* I/O | Clk *--|---, | |
2 o-------|--------|----------' | | |----------|----------| | | |
: | | | '---|--* Vpp | R/W *--|---|----' |
Busy : | | | |----------|----------| | |
11 o------|--------|--------------' ,---|--* Gnd | 5V * | | |
: | | | '----------'-------|--' | |
D1 : | | __+__ Chip connector | | |
3 o-------|--------|--------, \\\\\ | | |
: | | '------------------------------|------' |
Str : | |\ | | | |
1 o-------*--| >+--*----*----*----*----*-------------------' |
: d2|/ | |d3 |d4 |d5 |d6 |d7 |
: -+- -+- -+- -+- -+- |
: /_\ /_\ /_\ /_\ /_\ |
D3 : | | | | | |\ | d8 |
5 o----------------*----|----|----|----|---| >+-------*-------------------'
: | | | | |/ | |
: | | | | |
D4 : | | | | |\ | d9 |
6 o---------------------*----|----|----|---| >+-------*
: | | | |/ | |
: | | | |
D5 : | | | |\ | d10 |
7 o--------------------------*----|----|---| >+-------*
: | | |/ | |
: | | |
D6 : | | |\ | d11 |
8 o-------------------------------*----|---| >+-------*
: | |/ | |
: | |
D7 : | |\ | d12 |
9 o------------------------------------*---| >+-------'
: |/ |
:
:
25 o------.
: |
.......: | d1 to d13: 1N4148
__+__
\\\\\
Ⅴ)读卡程序:
下面程序为与简易读卡器相配套二类卡读卡源程序(如需一类卡源程序或需C源程序或其可执行程序请与作者联系)
USES crt,dos;
CONST port_address=$378; { lpr1 chosen }
TYPE string8=string[8];
string2=string[2];
VAR reg : registers;
i,j : integer;
Data : array[1..32] of byte;
car : char;
byte_number : integer;
displaying : char;
{-----------------------------------------------------------------------------}
PROCEDURE Send(b:byte);
BEGIN port[port_address]:=b;
END;
{-----------------------------------------------------------------------------}
FUNCTION Get:byte;
BEGIN get:=port[port_address+1];
END;
{-----------------------------------------------------------------------------}
{ FUNCTION dec2hexa_one(decimal_value):hexa_character_representation; }
{ }
{ - convert a 4 bit long decimal number to hexadecimal. }
{-----------------------------------------------------------------------------}
FUNCTION dec2hexa_one(value:byte):char;
BEGIN case value of
0..9 : dec2hexa_one:=chr(value+$30);
10..15 : dec2hexa_one:=chr(value+$37);
END;
END;
{-----------------------------------------------------------------------------}
{ FUNCTION d2h(decimal_byte):string2; }
{ }
{ - convert a decimal byte to its hexadecimal representation. }
{-----------------------------------------------------------------------------}
FUNCTION d2h(value:byte):string2;
VAR msbb,lsbb:byte;
BEGIN msbb:=0;
if ( value >= $80 ) then
BEGIN msbb:=msbb+8;
value:=value-$80;
END;
if ( value >= $40 ) then
BEGIN msbb:=msbb+4;
value:=value-$40;
END;
if ( value >= $20 ) then
BEGIN msbb:=msbb+2;
value:=value-$20;
END;
if ( value >= $10 ) then
BEGIN msbb:=msbb+1;
value:=value-$10;
END;
lsbb:=0;
if ( value >= $08 ) then
BEGIN lsbb:=lsbb+8;
value:=value-$08;
END;
if ( value >= $04 ) then
BEGIN lsbb:=lsbb+4;
value:=value-$04;
END;
if ( value >= $02 ) then
BEGIN lsbb:=lsbb+2;
value:=value-$02;
END;
if ( value >= $01 ) then
BEGIN lsbb:=lsbb+1;
value:=value-$01;
END;
d2h := dec2hexa_one(msbb) + dec2hexa_one(lsbb);
END;
{-----------------------------------------------------------------------------}
Function Binary( b : byte):string8;
var weigth : byte;
s : string8;
BEGIN weigth:=$80;
s:='';
while (weigth > 0) do
BEGIN if ((b and weigth) = weigth) then s:=s+'1'
else s:=s+'0';
weigth:=weigth div $02;
END;
Binary:=s;
END;
{-----------------------------------------------------------------------------}
FUNCTION Units:byte;
VAR u, i : integer;
s : string8;
BEGIN u:=0;
i:=13;
while (Data[i] = $FF) do
BEGIN u:=u+8;
i:=i+1;
END;
s:=Binary(Data[i]);
while(s[1]='1') do
BEGIN inc(u);
s:=copy(s,2,length(s));
END;
units:=u;
END;
{-----------------------------------------------------------------------------}
function Units_2:LongInt;
BEGIN Units_2:=4096*Data[9]+512*Data[10]+64*Data[11]+8*Data[12]+Data[13];
END;
{-----------------------------------------------------------------------------}
PROCEDURE Card_Type;
BEGIN case Data[2] of
$03: BEGIN write('Telecard - France - ');
case Data[12] of
$13: write('120 Units - ',units-130,' Units left');
$06: write('50 Units - ',units-60,' Units left');
$15: write('40 Units - ',units-40,' Units left');
END;
END;
$2F:BEGIN write('Telecard - Germany - ', Units_2, ' Units left');
END;
$3B:BEGIN write('Telecard - Greece - ', Units_2, ' Units left');
END;
$83:BEGIN write('Telecard');
case Data[12] of
$1E: write(' - Sweden');
$30: write(' - Norway');
$33: write(' - Andorra');
$3C: write(' - Ireland');
$47: write(' - Portugal');
$55: write(' - Czech Republic');
$5F: write(' - Gabon');
$65: write(' - Finland');
END;
if (Data[12] in [$30,$33,$3C,$47,$55,$65]) then
BEGIN case ((Data[3] and $0F)*$100+Data[4]) of
$012: write (' - 10 Units - ',units-12,' Units left');
$024: write (' - 22 Units - ',units-24,' Units left');
$027: write (' - 25 Units - ',units-27,' Units left');
$032: write (' - 30 Units - ',units-32,' Units left');
$052: write (' - 50 Units - ',units-52,' Units left');
$067: write (' - 65 Units - ',units-62,' Units left');
$070: write (' - 70 Units - ',units-70,' Units left');
$102: write (' - 100 Units - ',units-102,' Units left');
$152: write (' - 150 Units - ',units-152,' Units left');
END;
END;
{ write(' - N?',Data[5]*$100+Data[6]);}
END;
END;
END;
{-----------------------------------------------------------------------------}
PROCEDURE waiting;
BEGIN send($00);
write('Enter a card in the reader and press a key ...');
repeat until keypressed;
gotoxy(1, wherey);
clreol;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Full_Displaying;
BEGIN writeln('Memory dump:');
for i:=1 to 80 do write('-');
for i:=1 to (byte_number div 6 + 1) do
BEGIN for j:=1 to 6 do
BEGIN if j+6*(i-1) <= byte_number then write(binary(Data[j+6*(i-1)]):9);
END;
gotoxy(60,wherey);
for j:=1 to 6 do
if j+6*(i-1) <= byte_number then write(d2h(Data[j+6*(i-1)]),' ');
writeln;
END;
for i:=1 to 80 do write('-');
Card_Type;
writeln;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Short_Displaying;
VAR j : integer;
BEGIN for j:=1 to byte_number do
BEGIN write(d2h(Data[j]),' ');
END;
writeln;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Reading;
VAR i, j : integer;
Value : byte;
BEGIN send($FE);
send($F8);
for i:=1 to 32 do
BEGIN Value:=0;
for j:=1 to 8 do
BEGIN Value:=Value*$02 + ((get and $08) div $08);
send($FB);
delay(1);
send($F8);
END;
Data[i]:=Value;
END;
case displaying of
'F':full_displaying;
'S':short_displaying;
END;
END;
{-----------------------------------------------------------------------------}
PROCEDURE writting;
VAR i,n:integer;
car:char;
BEGIN write('Which bit do you want to set to "1" : ');
readln(n);
waiting;
car:=readkey;
send($FA);
send($F8);
for i:=1 to n do
BEGIN send($F9);
if i=n then
BEGIN send($FD);
delay(20);
send($FF);
delay(20);
END;
send($FB);
END;
reading;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Saving;
VAR filename : string;
f : text;
i : word;
BEGIN write('Enter the filename: ');
readln(filename);
assign(f, filename);
rewrite(f);
for i:=1 to byte_number do write(f,d2h(Data[i]),' ');
close(f);
END;
{-----------------------------------------------------------------------------}
PROCEDURE initialize;
VAR i : integer;
BEGIN byte_number:=32;
displaying:='F';
clrscr;
writeln(' 1 - to dump a 256 bits card');
writeln(' 2 - to dump a 128 bits card');
writeln(' F - to display in full format');
window(41,1,80,25);
writeln(' S - to display in short format');
writeln(' F2 - to save in a file');
writeln(' Q - to exit the program');
window(1,4,80,25);
for i:=1 to 80 do write('=');
window(1,5,80,25);
END;
{=============================================================================}
BEGIN initialize;
repeat waiting;
car:=upcase(readkey);
case car of
'W':writting;
'Q':;
'1':byte_number:=32;
'2':byte_number:=16;
'F','S':displaying:=car;
#00: BEGIN car:=readkey;
if car=#60 then saving;
END;
else reading;
END;
until car='Q';
END.
Ⅵ)探测漏洞:
在了解其工作原理后就知道这一套系统是很不安全的,真是很容易被HACK。你完全可以用单片机模拟其逻辑来仿真它,适当配合软件技巧要做到循环无限次使用就很简单了。这些仿真卡在瑞典、西班牙、法国等国家早已出现。如果你懂初步的电脑软件知识,懂一点单片机的硬软件知识再加上一点点灵感,利用前面介绍的技术资料就足够了。对于第一类卡首先你必须从现行你想仿真国家的可用卡读得数据前8字节数据,这是你仿真时必须知道的,后5个字节你从卡面值按8进制即可推算出每一字节值,最后3字节为全1不必关心,对于二类卡你必须从现行你想仿真国家的可用卡中读得前12字节数据。可选用的单片机型号很多,选择原则:高速度、小巧、带EEPROM。
Ⅶ)程序仿真
下面推荐给大家网上流传很盛的英文原版资料,在其中提供了完整仿真二类卡的单片机程序及详细注释,不过可能是作者有意,其中有很多BUG,有待你去思考修正。不管怎样,它还是很有参考价值的。至于第一类卡的仿真程序在其加密的文档中,没有人见过其庐山真面目,不过即使你能解密它,或许其中又还有许多BUG,因此最好你自己动脑解决了。
| 
《匠人手记》推荐网上购书渠道: 
匠人学习:对PIC芯片ROM中的程序地址精确定位
