Home      Projects     Experiments     Circuits     Theory     BLOG     PIC Tutorials     Time for Science

 How Phonecard Smart Cards Work AuthorGiorgos LazaridisMay 30, 2012

PAGE 2 of 2

4 Write-Carry to the memory card
You may now wonder: If during a Write sequence only decreasing a value is allowed, then how can a 4-byte octal register borrow a carry from one byte to the other? Suppose for example that we have 2 bytes of the octal register, the HIGH byte and the LOW byte. The HIGH byte is 00001111 and the LOW byte is 00000000. During the next decrement, the HIGH byte will be decreased by one (00001110) and the LOW byte will borrow one and it will become 11111111:

00001111:00000000
--- After next decrement ---
00000110:11111111

Now the problem is obvious: The LSB bit of the HIGH byte can be written with the Write command as explained before, but the bits in the LOW byte have to become 1 again! But as we said before, no write operation is allowed to increase bits (0->1), only to decrease them (from 1->0). So?

This problem is solved with the Write-Carry sequence. During this sequence two things happen: The first is that the current-selected memory position is decreased by one, the same way as happens with the Write command. The second is that the next byte (8-bits) in the octal counter is cleared and becomes 11111111. Here is the Write-Carry sequence:

• First go to the memory position that you want to write
• Set the Reset pin HIGH, wait for some clock periods and then set the Reset pin back LOW
• Wait for some clock periods and set the Clock pin HIGH
• Wait for at least 10 milliseconds
• Set the Clock pin back LOW
• Wait for some clock periods and set the Reset pin HIGH, wait for some clock periods and then set the Reset pin back LOW
• Wait for some clock periods and set the Clock pin HIGH
• Wait for at least 10 millisecond
• Set the Clock pin back LOW

• You may notice that the Write-Carry sequence is actually two Write sequences in a row. That's true indeed: During the first write sequence the currently-selected bit is cleared. If a second write sequence occurs, then the next counter byte is cleared to 11111111 - performing thus a Write-Carry operation. Suppose for example that the 4-bytes octal counter has these bits:

00000000-00000000-00000011-00000000

If the 23rd bit is selected (counting from left to right starting from bit number 0), and a Write-Carry operation is performed, then this bit will become zero and the next byte is cleared:

00000000-00000000-00000010-11111111

Here is a timing diagram of the Write-Carry sequence

Phonecard Memory Mapping
The memory of the phonecards is arranged into 8-bit bytes. Unfortunately for us amateurs, telephone cards have different memory mappings from country to country. For more info, check out the links provided into the references section. In this tutorial i will provide detailed info about the 128-bit 2nd generation phonecards from Greek telecommunications provider OTE:

Starting from byte position 0, the first 4 bytes provide information about the maker and the country. I do not have more info about these 4 positions, other that the cards i tested begin with byte 0xA1.

The next four bytes (4 through 7) hold the serial number of the phonecard. This is a 32-bits long number. The MSB of this number is the most-right bit of the 7th byte (bit #63), while the LSB is the most-left bit of the 4th byte (bit #32). For example, a phonecard with serial number 0236111001 will have the following bytes:

The next 5 bytes hold to the octal counter of the card. This is actually the only memory position that a Write or Write-Carry operation can be performed. This position holds the calling units that the card has, which explains also why this counter can only be decreased. The octal counter conversion is done like this: First, you measure the number of aces (1) that exist in each byte. This number is then multiplied by the corresponding octal power of each byte position. This power is 84 for the first byte (4096), 83 for the second (512), 82 for the third (64), 81 for the fourth (8) and 80 for the fifth byte (1). Let's see an example. Suppose that we have a card that has the following bytes into the octal counter:

Here is how to calculate the decimal value (calling units) of this card:

By adding all these decimal values we get the total amount of units:

Units = 0 + 2048 + 192 + 56 + 5 = 2301

For the Greek telecards, this number corresponds to 2,301 Euros of remaining calling time.

 Continue reading. Click here to go back to the first page <<<.

Comments

 Name  Email (shall not be published)  Website Notify me of new posts via emailWrite your comments below:BEFORE you post a comment:You are welcome to comment for corrections and suggestions on this page. But if you have questions please use the forum instead to post it. Thank you.

 At 1 January 2016, 11:44:09 user Jan Van Rossum wrote:   [reply @ Jan Van Rossum]Hello I have written a Online USB card reader program .. please check www.javaro.be/reader login with user 'demo' and pswd 'demo' Read the "how it works" file for more info.. Enjoy JANAt 17 December 2015, 21:39:02 user Ahmadhamza wrote:   [reply @ Ahmadhamza]Well done guysAt 25 November 2012, 20:09:59 user Jan Van Rossum wrote:   [reply @ Jan Van Rossum]I want to use " SMART CARD TOOLSET PRO " program .. i use an USB reader ACR-38 when I choose GSM sim card (card type) when I insert a GSm sim card it seems to respond .. when I choose ISO 7916 card (card type) and I insert a standard phone card .. smartcard does not respond on settings ' probably something to do with the APDU ... somebody any idea what i have to put there to read a phonecard ? thanks Jan

 HOT in heaven!

 NEW in heaven! New Theory: AC electric motor working principle

 Contact     Forum     Projects     Experiments     Circuits     Theory     BLOG     PIC Tutorials     Time for Science     RSS    Site design: Giorgos Lazaridis © Copyright 2008 Please read the Terms of services and the Privacy policy