Mobile SIMs & Bank IC Cards
Mobile phone SIM cards and most bank IC cards will output some useful information in response to an Answer To Reset command. The Bus Pirate can interact with these cards in Half-Duplex UART mode.
Mobile phone SIMs and bank IC cards are usually based on "Java Cards" that are specially programmed and have advanced cryptographic features to keep data secure. We're evaluating blank, programmable cards for future tutorials.
Connections
Common IC cards usually follow the ISO 7816-3 standard and have the same pinout and contact shape. Image source.
| Bus Pirate | 24C02 | Description |
|---|---|---|
| IO0/RXTX | C7 - I/O | Bidirectional half-duplex UART |
| IO1/PWM | C3 - CLK | Continuous clock signal from PWM |
| IO2 | C2 - RST | Reset signal |
| Vout | C1 - VCC | 3.3volt power supply |
| GND | C5 - GND | Ground |
Connect the Bus Pirate to the SIM as shown in the table above.
Smart IC Card and SIM card adapter
It's possible to gently solder wires on to each pad of the chip, but SIM and smart card sockets are useful if you don't want to destroy the card.
A smart IC card and SIM card adapter is available for Bus Pirate 5 with the correct connections already set. The adapter accepts most ISO 7816-3 smart cards and mini/micro/nano SIM cards.
Setup
Mode selection
1. HiZ
...
4. HDPLXUART
...
x. Exit
Mode > 4
UART speed
1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200 etc
x. Exit
Baud (115200*) > 9600
Data bits
5 to 8 bits
x. Exit
Bits (8*) >
Parity
1. None*
2. Even
3. Odd
x. Exit
Parity (1) > 2
Stop bits
1. 1*
2. 2
x. Exit
Bits (1) > 2
Mode: HDPLXUART
HDPLXUART>
Mobile SIM cards and bank IC cards use a half-duplex UART interface, data travels both directions on a single wire.
- Use the
mmode command and select HDPLXUART - Set the baud rate to 9600
- Set the data bits to 8
- Set the parity to Even
- Set the stop bits to 2
3.30V requested, closest value: 3.30V
Current limit:Disabled
Power supply:Enabled
Vreg output: 3.3V, Vref/Vout pin: 3.2V, Current: 3.4mA
HDPLXUART>
Most SIM cards will work fine at 3.3volts.
W 3.3- Enable the onboard power supply at 3.3 volts
Most SIM cards will be okay with 3.3 volts, but some cards may use 2.5 or 1.8 volts. If the SIM or card is valuable, consider starting at a lower voltage and check the power requirements coded in the ATR response.
Pull-up resistors: Enabled (10K ohms @ 3.3V)
HDPLXUART>
Half-duplex UART is an open collector output bus. The Bus Pirate and the SIM can only pull the line low to 0 (ground). A pull-up resistor is needed to pull the line high to 1 (5 volts). The Bus Pirate has built-in pull-up resistors that can be enabled with the P command.
P- Enable the onboard pull-up resistors.
Be sure to enable the pull-up resistors. The data line will never go high without them and you'll read only 0s.
Setup Clock
A continuous clock signal applied to C3/CLK drives the SIM's microcontroller. After processing commands, the SIM responds on the UART asynchronously at a baud rate determined by the clock frequency.
baud * 372 = clock frequency
372 clock ticks are needed for each bit at the selected baud rate.
9600 baud * 372 = 3.5712MHz
At 9600 baud the clock frequency should be 9600 * 372 =3.5712MHz.
Generate frequency
Choose available pin:
1. IO1
...
7. IO7
x. Exit
> 1
Period or frequency (ns, us, ms, Hz, kHz or Mhz) > 3.5712mhz
Frequency: 3.571MHz = 3571200Hz (3.57MHz)
Period: 280ns (280.02ns)
Actual frequency: 3571428Hz (3.57MHz)
Actual period: 280ns (280.00ns)
Duty cycle (%) > 50%
Duty cycle: 50.00% = 140ns (140.00ns)
Actual duty cycle: 148ns (148.24ns)
Divider: 16, Period: 34, Duty: 18
Generate frequency: Enabled on IO1
HDPLXUART>
The Bus Pirate PWM can generate a clock frequency on the IO1/CLK pin.
G- Start a frequency generator- 1 - Select IO1/CLK pin
- 3.5712mhz - Set the output frequency
- 50% - Set the duty cycle
Don't forget to type the units (Hz, kHz, MHz) when setting the frequency, and % when setting the duty cycle.
Answer To Reset
SIM and bank IC cards use the asynchronous ATR standard. This is different than the synchronous ATR standard used by the SLE4442 smart card.
Open UART
UART OPEN (ASYNC READ)
HDPLXUART>
First, ensure the UART is open and printing data values as they arrive.
[- open UART for async data
Send ATR and get response
IO2 set to OUTPUT: 0
IO2 set to INPUT: 1
HDPLXUART> 0x3b 0x9f 0x95 0x80 0x1f 0xc7 0x80 0x31 0xe0 0x73 0xfe 0x21 0x13 0x67 0x22 0x28 0x00 0x40 0x01 0x00 0x01 0x91
To perform the ATR command, pull the RESET pin low and then release it high.
a 2- pull the reset pin low@ 2- make the reset pin input, allow the pull-up resistor to hold it high
The ATR reset (marker 0) is followed by the ATR response beginning at marker 1. The clock signal is continuous, at 372 clock cycles to send each bit it becomes sold orange.
0x3b 0x9f 0x95 0x80 0x1f 0xc7 0x80 0x31 0xe0 0x73 0xfe 0x21 0x13 0x67 0x22 0x28 0x00 0x40 0x01 0x00 0x01 0x91
The ATR response generally starts with 0x3b.
Decode ATR
Answer To Reset (ATR) is a standard response from a smart card or IC card. It can be decoded with this handy database:
Decoding the ATR gives us several interesting pieces of info about this SIM:
- TS=0x3B - Direct Convention, normal SIM ATR response
- fMax=5MHz - maximum clock frequency is 5MHz
- Class=A 5V B 3V C 1.8V - the card can operate at 5 volts, 3 volts, or 1.8 volts
Based on a database of ATR responses, the website suggests this is a Lyca Mobile SIM from Austria. That's close enough, it's a free Dutch Lyca Mobile SIM from Amsterdam China Town.
Hong Kong IMC SIM
IO2 set to OUTPUT: 0
IO2 set to INPUT: 1
HDPLXUART>0x3b 0x9e 0x96 0x80 0x1f 0xc7 0x80 0x31 0xe0 0x73 0xfe 0x21 0x1b 0x66 0xd0 0x01 0xa1 0xb8 0x10 0x00 0x08
A cheap 4G travel SIM from IMG in Hong Kong.
Hong Kong ValueGB SIM
IO2 set to OUTPUT: 0
IO2 set to INPUT: 1
HDPLXUART>0x3b 0x9e 0x95 0x80 0x1f 0xc7 0x80 0x31 0xe0 0x73 0xfe 0x21 0x1b 0x66 0xd0 0x02 0x24 0x7b 0x14 0x00 0x4a
A cheap 4G travel SIM from ValueGB in Hong Kong.
EU Master Card
IO2 set to OUTPUT: 0
IO2 set to INPUT: 1
HDPLXUART>0x3b 0x6e 0x00 0x00 0x80 0x31 0x80 0x66 0xb0 0x84 0x0c 0x01 0x6e 0x01 0x83 0x00 0x90 0x00
Bank card chips respond to the same ATR as mobile SIM cards. This is a Master Card from an EU bank.
US Visa Card
IO2 set to OUTPUT: 0
IO2 set to INPUT: 1
HDPLXUART>0x3b 0x6f 0x00 0x00 0x80 0x31 0xe0 0x6b 0x08 0x24 0x05 0x02 0xb5 0x55 0x55 0x55 0x55 0x55 0x55
A Visa debit card from a US transit system.
Hong Kong Union Pay Card
IO2 set to OUTPUT: 0
IO2 set to INPUT: 1
HDPLXUART>0x3b 0x6b 0x00 0x00 0x00 0x31 0xc0 0x64 0x08 0x04 0x61 0x76 0x07 0x90 0x00
Hong Kong Union Pay debit card.
Blank Java Cards
We're secured a few different "blank" and diagnostic Java cards for further tests. You can find something similar on your favorite China export website. Stay tuned.
Accessing SIM Data
Information, such as a phone book and recent calls, may be stored on mobile SIMs. It appears to be stored in a basic file system. This university thesis has a straight forward and thorough explanation.
A utility like pySim can be used with the Bus Pirate to navigate the contents of a mobile SIM.