מבוא לכרטיסים חכמים וצריבה (Gold Cards / Wafer Cards / Mosc)

[איש המציאות]

Introduction To Gold Cards / Wafer Cards / Modified Smart Cards (MOSC) Including Programming And Logging / Emulation



All information contained in this guide is for educational purposes only. It should in no way be used for illegal purposes. The author has no responsibility over the use of the information contained in this document.



What is a Gold Card / Wafer Card / Modified Smart Card?

How does it work?

How do I use it?

How do I program it?

How do I log data destined for a card?



The main purpose of this document is to introduce and explain

the way cards work with Satellite TV.

The assumption in this guide is that you have a working satellite installation

(dish, box, card etc)

and are interested in how it all works.





What is a Smart Card?



A Smart Card is a microprocessor based electronic storage device. These come in many forms such as SIM cards in mobile phones and decoder cards in Pay TV systems. They come in different shapes and sizes and vary in their functionality. They contain code to store and retrieve information specific to their use

i.e. A phone SIM card will have the customer’s phone number stored on it and any other information needed by the handset for operation.

The basics of these cards are a storage chip (such as EEPROM) and a microprocessor (such as a PIC chip).





What is a Modified Smart Card / Wafer Card?



A Modified Smart Card / Gold Card / Wafer Card, as they are known, is (as the name suggests) a modified version of a Set Top / Decoder card commonly found in systems such as satellite and cable television.

These cards come in a number of different varieties, the most common being a PCB version (Wafer) and a Gold Card version.

The Gold Card version is primarily a blank copy of the cards used for Satellite and Cable Pay TV. They look the same as normal Smart Cards without the fancy graphics but contain no information.

The Wafer card version is a Printed Circuit Board version of the Smart Card utilising external semiconductor components (chips) that are soldered to the board.

The most common version of these cards contains a PIC (microprocessor) chip and an EEPROM (memory) chip.

A Modified Original Smart Card is an ambiguous term, and can have a couple of meanings depending on the interpreter. Some people call these cards Gold Cards also, but it depends on the individual interpretation. So for the purpose of this document, I will refer to a MOSC as an original Smart Card with added features such as Channel ID’s and Provider ID’s. Occasionally a MOSC refers to a dead original Smart Card that has been made active again. I will refer to this type of card as Re-animated Smart Card.



What is a logger / emulator?



A logger / emulator is used in place of a Smart Card, or alternately with a Smart Card, to intercept / emulate the information on the card. An emulator is essentially taking the place of the Smart Card and uses PC software to emulate a Smart Card. A logger is normally used in conjunction with a Smart Card and intercepts the updates destined for the card via PC software also. Most loggers / emulators come in the form of a modified Wafer card with a serial cable that connects to a PC which in turn has associated Software used to perform the necessary functions.







What is a Smart Card Reader / Writer?



A Smart Card Reader / Writer is a device that can talk to a Smart card via PC software to interrogate the contents of the card. These devices can come in the form of a reader only (early versions) or a combined reader writer with the later being the most popular. There are devices available that also have other functions included, with the most common extra feature being a PIC programmer.





What is a PIC Programmer?



A PIC programmer is just as the name suggests, a device used to program the PIC series of chips. There are many versions of these programmers available as the PIC is a widely used chip in industry. This means there is also a wide variety of programming software available also. These devices are essentially all the same in the functions they perform with the different types of software being the major difference. (See picture above)



How Does A Smart Card / MOSC / Gold Card / Wafer Work?



The main function of a Smart Card, wether it be a Wafer or Gold Card, is to hold information and update information relating to the incoming signal from the satellite dish for the purpose of decoding picture signals. Lets break it down a little further. The decoder box receives a signal from the dish, which is then in turn passed to a CAM (Conditional Access Module) and the Smart Card.

The CAM is used to talk to the Smart Card via a Smart Card Slot usually located in the front of a decoder box. The CAM exchanges information with the Smart Card and therefore decodes the incoming signal allowing pictures to be displayed.



The incoming signal consists of a number of different important information – these primarily are the following



1. The scrambled picture information (Consisting of the actual picture and program information)

2. ECM (Entitlement Control Messages) and EMM (Entitlement Management Messages)



The ECM and EMM contain the data needed by the CAM to decode the scrambled picture information.



EMM messages are used to update the data contained on the smart card such as



1. Date

2. Provider ID

3. Country Code

4. PMK / MK



ECM messages are used to provide a valid key to allow decryption (unscrambling) of the picture.



More information on how EMM and ECM work is provided in a document called ActivateV11 and therefore I will not go into great detail about these messages.



The Smart Card talks to the CAM in a similar way a PC works. The Smart Card is essentially a processor with and operating system (OS) and memory. As we said earlier, most cards are based around a PIC / EEPROM combination. The PIC therefore in this case contains the OS and the EEPROM the stored data. So the PIC needs to have code programmed into it to be able to talk to the EEPROM. In a “normal” Smart Card this operating code is supplied pre loaded as well as the basic information for operation of the card. The card / CAM combination then receives and processes the incoming information.



In Gold Cards and Wafers this code (OS) needs to be programmed into the PIC manually so we can then load the information into the EEPROM.



This is where things start to get interesting. Many more questions start to arise such as



What code needs to be programmed into the PIC?

What information goes into the EEPROM?



We will get to this a little later - see Programming a PIC chip. For the moment we are going to provide a little detail to what we need and are looking for from a Smart Card and how to get this. We can’t just go programming a Gold Card / Wafer when we don’t know what to program into it.





Reading / Writing to a Smart Card



To read a Smart Card you need, you guess it, a Smart Card Reader and a Smart Card of some type. As said before, most designs now consist of a reader / writer combination. You then need some software to talk to the reader / writer. I have found that most combinations are essentially the same with some having more functions than others or, in some cases less. It comes down to what you want and what you can afford or have the desire to build.







My personal preferences and recommendation for this purpose are the following combination



1. Clanzers build 5 programmer (http://www.wedzboyz.co.uk/wedzboyz/build5.htm)

2. FMCard / Card Hunter / Beta 6 win95/98/2000 software packages



The reason I use the above combination is that is simplifies the design and software needed. The Clanzer programmer actually performs 3 functions in one – it is a Smart Card reader / writer and doubles as a PIC programmer all on the one board.

FMCard (provided by FatMate) is an excellent program that has the ability to read and write to almost all versions of Smart Cards available. It is in English and extremely well presented.

Card Hunter is a very simple reader and writer. Its primary function is to load the relevant data into a Gold Card / Wafer / MOSC. It in no means provides the functionality of FMCard but it is a very useful program for its purpose.

Beta 6 software is used to program a PIC chip with the Clanzer programmer – we will discuss this later.



Once you have chosen a combination to your liking you can start playing around. A couple of things to remember are place the card in the Smart Cards slot before powering the device – you can sometimes kill cards whilst having things powered and have the software running not connected. This doesn’t happen often, but can happen. Once you have all in place you can connect to the card to receive the basic information on the card. Most software has a button labelled “connect” which sends a reset to the card, and the card responds with (ATR) valid data. This data is displayed in the information boxes when successful. If not having success check the COMM port settings in the program of choice. Reader / writer boards can have up to 2 crystal frequencies on them which relate to the speed of communications. 6Mhz crystals use 9600 baud and 3.57Mhz crystals use 5720 baud. Make sure you have the correct crystal frequency selected.



most programs have a combination of these fields





ATR

Card Type / Version

Hex Serial

Ascii Serial

Country Code

Provider ID

Date



You will notice that there are 2 Provider ID fields and 2 date fields. There are also a third set available on some cards but only a few programs support them.



Lets run through the fields and what they mean:



Note: Returned data in fields are mostly in Hex characters. They can also be ASCII.



ATR – This is the response sent from the card after a reset



Card Type– This tells you what version of software is loaded on the card i.e. version 1.2



Hex Serial – This returns the cards serial number in Hex



ASCII Serial – This is the serial number in an ASCII character string



Country Code – This is the 3-digit country code eg. CCA



Provider ID– This is the 3-byte code uniquely identifying the service provider. There are normally 2 provider slots in each card. These are designated Provider 00 (1) and Provider 10 (2).



Date– This is a 2-byte code that changes daily indicating the date stamp



Reading and writing to a card takes place using a series of commands called CRD’s. A CRD is a Hex string with a specific purpose, it is essentially a simulated EMM to the card. Again Activatev11 details these commands in great depth so we will touch only on the basics, so use Activev11 for referral. Most software packages use this format to read and write to the card. You can setup a macro (multiple commands) of these commands in a file (text based) with an extension of .CRD to execute multiple commands in the one run. This saves the inconvenience of doing them one command at a time.



Creating Gold Cards / Wafer Cards



To talk to a Gold Card / Wafer card we first need to program the so called OS into the PIC chip to allow any commands to be processed. This code for the PIC comes in many flavours



. The programming of this OS into the PIC is covered in the section on PIC Programming, so for this next section I will assume you have a Gold Card / Wafer with working code programmed in it. Once you have a working card, you need to add the basic details of what an original Smart Card has into it to make it work. There are a number of pre-written CRD files that have all the commands needed to load a fresh card from scratch, as well as CRD files that modify certain details only. All you need to do is place your details into the sections within the file (using a text editor), and load the CRD. These CRD’s are well commented and tell you how to enter the information correctly. Don’t forget to take out the comment separators before the commands you want to execute. The comment separators are the “//” at the start of a line.



Now comes the big question. What details are needed and how do I get them?

The following details are required to be entered into a Gold Card / Wafer before it can be expected to work like it should. A Gold Card / Wafer is in every sense a modified / hacked version of an original Smart Card. The code loaded into the PIC will respond and appear to read like normal Smart Cards but that is almost the end of the similarity. They respond to only the commands a box could be expected to deliver during the normal decryption cycle and card updates. You need to have the following information to enter into the CRD file to get the card to work correctly.



1. Hex Master Key (HMK)

2. Hex Serial

3. Plain Master Key (PMK)

4. Provider ID

5. Plain Keys (PK)

6. Country Code



Now this is where the hard part comes in. The above information needed is not just handed to us on a plate, it requires a little work to obtain. There are various methods of obtaining this data but I will discuss the easiest way. No one is going to hand out this information to you and people will get offended if you ask for it



So like I said in the beginning, I am assuming you have a paid working service and are using your own card.



The Hex Serial, Provider ID and Country Code can all be obtained just by reading from an original Smart Card. This information is provided by most card reader software on the main screen. This is the easy part. Just read off the relevant boxes, and write it down somewhere.

To obtain the Hex Master Key, PMK and Plain Keys, you need to do a little work. Some of this information may not be able to be obtained. If so, you are out of luck unless someone has done some work for you and somehow logged the data. There are people out there logging information all the time and most likely would have this information. I recommend doing your own work and not relying on others. See the section on Logging to know how to do this.

The HMK is stored in a memory location on the card. This is a 10 byte number. Programs such as FMCard have the facility to try to get this information off the card. Some times the HMK cannot be read correctly and the program will try to fill in the unknown bytes by running an algorithm to work out the unknowns. This is not a guaranteed procedure that works, but most of the time it is successful. If you cannot read the HMK you need to try and log it using a full logging program, which is the harder and not often used method.

The PMK and PK are similar to the HMK in the fact they can be read from the card. This is a hit / miss approach, but if your successful a good thing. But the danger in doing this is that there is a good chance of destroying the card. More than likely you will be able to only get one or the other. This is where again you need to log the data. There are programs that log all the data and some that require the HMK, Provider ID, and Hex Serial. This is covered in detail in the Logging section so I will only touch on it here. The more information you can get of the original card the better. Otherwise you will be sifting through logs searching for the correct information. You may also be logging for a while before you get this information.

The PMK and PK are needed to allow the picture to be decrypted (unscrambled). Programs such as Wallbanger can log data exclusively sent to that card, but requires you have a valid HMK, Provider ID and Hex Serial. To get the PMK / PK’s using Wallbanger, you need to log a box hit sent to the card. This is in effect, a card enable. I will leave this up to your imagination on how to get this card hit done. Once the hit is intercepted, Wallbanger will update the necessary fields and viola – you have your required data. See Using Loggers / Emulators for more information.



Programming a PIC chip



To program a PIC chip there are a couple of methods available. You can build / buy an exclusive PIC programmer or you can build / buy a through card programmer.

I am not going to discuss the building of these programmers, just the basics on how they work as you can buy ready made PIC programmers.



To program the PIC you need to have code to program into it. This code usually comes in the form of a hex file i.e. It has the file extension .HEX. As mention earlier there are a number of variations on the code that gets programmed into the PIC. This code depends on what use the Gold Card / Wafer is intended for.



There are a number of programs around and you may have had a program supplied with your PIC programmer. These programs can be DOS or Windows based, either gets you the same results. You will need to select what PIC chip you are using in the settings of the program. Once you have your software running we need to load the hex file of choice into the programming software. This is usually done by pressing the Load button and pointing to the file. The contents of the file should replace the default settings in the programming software.



All that is then required is for you to press the program button. It will then tell you if your attempt has been successful or not. If unsuccessful, check your settings and try again.

(Note: Clock should beset to XT if using an external crystal to clock the PIC chip)

A good way to check is to try and read the contents of the PIC back into the program. If it matches what you attempted to program into it, then all is ok.



Using Loggers / Emulators



There are couple of methods used to log data. The most common being a purpose built device placed into the Smart Card Slot in a decoder box. Nokia and a few other decoders allow the data to be logged from a SCSI port on the back of the box. Emulators usually come in the form of a purpose built device also, and again they are inserted into the Smart Card Slot in the decoder. I will again not go into detail on building these devices, as there a number of different circuit designs around and all seem to have the same functionality.

What are the differences?

A logger is normally only used to log all incoming data, be it Key updates, Country Code changes or a number of other EMM / ECM’s. This can be a little overwhelming as you get big log files of all the data sent out by the Service Provider, and have to sift through it for the information you require, which unless you know what you are looking for can be confusing. Where as an emulator takes the place of a Smart Card, and only logs the data destined for that particular card. There are number of loggers and emulator programs around, and again it will come down to personal choice on what you choose. Loggers are useful in their own way, as you can log changes to things like Country Codes for all Smart Cards. These come into their own when the Service Providers change the Country Code that allows all the channels to be viewed, but your card has only be enabled for the Country Code for a particular Provider.

For emulator software, you can’t go past WallBanger (by Mini-Me). It has a very basic and easy to use GUI interface, and runs off of a COM port on a PC. This in turn is connected to your logger circuit inserted in the Smart Card Slot.

This is how you attain the Plain / Session Keys for a card (as you cannot read these keys from a card).

You place the previously attained data (obtained from reading a Smart Card) into the relevant boxes in the Provider screen and start the program. You need to have HMK, Provider ID and Hex Serial

To get the PMK / PK’s using Wallbanger, you need to log a box hit that is sent to the card. This is in effect, a card enable. I will leave this up to your imagination on how to get this card hit done. Once the hit is intercepted, Wallbanger will update the necessary fields and viola – you have your required data and pictures (To see the PK’s you need to go back in the Add/Edit Provider Data screen.)

Logger software is similar also as you need some of the same details for certain programs or alternately there are a few loggers that are used in conjunction with a smart card i.e. the logger is inserted into the decoder Smart Card Slot and the Smart Card inserted into a slot on the logger. Nokia and some other decoders have a SCSI port built into the box. You can connect this to your computer via a SCSI card and run logging software to get the data. Certain programs log all the data and others just the data intended for your card. Deciphering this data can be decidedly a long process if your do not know exactly what you are looking for, but a good learning exercise.

[Raviv]

Hi, great article! simple and to the point. where can I find Active11? couldnt find it here.



P.S.

I think in the section of MOSC the Blocker is missing

[איש המציאות]

about the document -

it is missing some more things -

i had to cut many sections from the original document ,because it was very long.



soon I'll post here the short version of the Activatev11

(Activatev11 is the bible for burning cards :-) ...)



if you want any of the original versions, send me your mail addr

and I'll mail it to you...



if there are any other topics you would like to see here ,



just tell ...



:-)



Amir.

[Raviv]

Hi Amir, well I found the doc and other progs you mentioned (link: http://fineales.mine.nu/fineales/sat_tools/ ). however, all of it is obsolete and pertains only to version 11 of Irdeto cards (old system Irdeto1). presently, in MOSCing there are SecaII V7 and V7.1, Cryptoworks and Irdeto2. Anycase it is interesting and, as you said, lays the basics for card burning. Thanks for your offer, but since I found the docs I dont see the need in additional info about this. thanx again

[איש המציאות]

as you said ,

indded its old , but it includes many of the basic terms used ...

in this world of burning , logging etc



I'll try to bring more up to date docs



thanks for the comments , and the site link

i wasn't aware of it ...



Amir.

[Raviv]

Amir, here's a link to the best site on the net about smartcards, programmers, software and more, for your use

http://www.duwgati.com/uk/index.htm

[איש המציאות]

by the way ,

in which country you are located ?



Amir.

[Raviv]

moving between Hungary, Austria, Romania

been in the sat scene for few years, since the time of the analogue D2Mac

didnt know that there are sat hobbiests in Israel till I found your forum

[איש המציאות]

I wish i was in the sat scene couple of years ago ...



there were many interesting things that were opened :-)



Amir.