JCOP

I recently bought some Smart Cards from [[http://www.smartcardsource.com/contents/en-ca/d9_JCOP-NXP-cards.html and has some comments/issues getting them up and running. They were NXP JCOP Cards, J2A040.

Round 1: GP Shell and Card Personalization

I was using GPShell for my initial tests, you can download from [[http://sourceforge.net/projects/globalplatform/files/|Here. There is a good [[http://sourceforge.net/p/globalplatform/wiki/Home/|Wiki too.

The first test was attempting to list all the things already on the card. The results were less than satisfactory:

C:\>GPShell-1.4.4>GPShell.exe listgp211.txt
mode_211
enable_trace
establish_context
card_connect -readerNumber 1
select -AID a000000003000000
Command -> 00A4040008A000000003000000
Wrapped command -> 00A4040008A000000003000000
Response <- 6A82
select_application() returns 0x80216A82 (6A82: The application to be selected could not be found.)

As it turns out you need to have the cards personalized (or fused) before you can use them. With GP 2.1.1 you can check this with the following script:

mode_211
enable_trace
establish_context
card_connect
select -AID A000000167413000FF
card_disconnect
release_context

Running it gives this result:

C:\GPShell-1.4.4>GPShell.exe jcop_try_this.txt
mode_211
enable_trace
establish_context
card_connect
select -AID A000000167413000FF
Command -> 00A4040009A000000167413000FF
Wrapped command -> 00A4040009A000000167413000FF
Response <- 04310033000000004E5830313143000339F8736A82
select_application() returns 0x80216A82 (6A82: The application to be selected could not be found.)

The key thing to look for in the response is the 15th byte, highlighted below:

04310033000000004E5830313143000339F8736A82

If this is 00 (as here), the card is NOT personalized. You need some secret ‘Transport Key’ to do this personalization. If you just got the card as a 1-off from a vendor you might be SOL.

My vendor sent me a replacement card, as those were presumably incorrectly setup (e.g. SHOULD have been personalized before shipping to me). On to the next part:

Round 2: GP Shell with a Good Card

Alright, now with the good cards we redo the list attempt:

C:\>GPShell-1.4.4>GPShell.exe listgp211.txt
mode_211
enable_trace
establish_context
card_connect -readerNumber 1
select -AID a000000003000000
Command -> 00A4040008A000000003000000
Wrapped command -> 00A4040008A000000003000000
Response <- 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
Command -> 80CA006600
Wrapped command -> 80CA006600
Response <- 6985
GP211_get_secure_channel_protocol_details() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.)

Well damn. I don’t want to try this too many times as the card might lock I was worried.

I never figured out how to get GPShell to work, but clearly I’m improving from my initial problems.

Round 3: JCManager

Finally I found JCManager at [[http://www.brokenmill.com/2010/03/java-secure-card-manager/.

The default keys are OK in this. But you need to change the AID address to a000000003000000. With this you can hit ‘Authorize’ and should see something like this:

Open terminal ...
EstablishContext(): ...
Wait for card in a certain reader ...
Pick reader ...
**********************
Selecting Card Manager
***********************
-> 00 A4 04 00 08 A0 00 00 00 03 00 00 00
<- 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 01 FF 9F 6E 06 47 91 00 78 33 00 73 4A 06 07 2A 86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00
************
Init Update
*************
-> 80 50 00 00 08 26 6C 8E 3C 10 69 39 05
<- 00 00 12 02 10 25 60 95 66 19 FF 02 00 02 59 8D D3 96 1B FD CC 97 F9 DF 4F 2A 6C E2 90 00
HostChallenge: 26 6C 8E 3C 10 69 39 05
CardChallenge: 59 8D D3 96 1B FD
Card Calculated Card Cryptogram: CC 97 F9 DF 4F 2A 6C E2
Derivation Data is 01 82 00 02 00 00 00 00 00 00 00 00 00 00 00 00
Host Cryptogram Data (to encrypt) 00 02 59 8D D3 96 1B FD 26 6C 8E 3C 10 69 39 05 80 00 00 00 00 00 00 00
Card Cryptogram Data (to encrypt for verification) 26 6C 8E 3C 10 69 39 05 00 02 59 8D D3 96 1B FD 80 00 00 00 00 00 00 00
S_ENC: AD C1 16 3B A2 A1 47 FB B8 4B F4 4C 86 76 FB 7D AD C1 16 3B A2 A1 47 FB
The Current session MAC key is 3E 06 B1 C8 FC FD 78 8A 57 3B 9A 98 89 D0 CA 50
The Current session DEK key is FC 01 09 6B 6D B1 3A DE E0 D4 CB 61 D0 3F D3 AA
Encrypted CardCryptoGram is 4F FC F3 9B 4A 25 56 A2 1B 69 AA 91 D8 E3 D7 44 CC 97 F9 DF 4F 2A 6C E2
Encrypted HostCryptoGram is D8 F5 B8 41 93 59 A6 45 E1 2D 3A 9A 0A 03 13 CD 5F 64 BB 10 3F 4F 87 19
-> 84 82 03 00 10 5F 64 BB 10 3F 4F 87 19 21 48 9B A9 BF 0B F8 34
<- 90 00
Authenticated

 

Design a FIR Filter in an FPGA in 30 mins using High Level Synthesis

Image
I’ve been working with Xilinx’s new High Level Synthesis tools built into Vivado. I’m slowly working on posting some more complete tutorials. In the mean-time here is a simple tutorial about making a Finite Impulse Response Filter on a real ADC/DAC board .

QTabWidget in PySide Automatically Resize

When using PySide, a QTabWidget is handy. But the size of the QTabWidget is dictated by the largest item, even if it’s not visible.

Let’s assume self.tw is our tab widget. Then add this function:

from PySide.QtCore import *
from PySide.QtGui import *

class MainWindow(QMainWindow):
    def curTabChange(self, index):
        for i in range(self.tw.count()):
            if i == index:
                self.tw.widget(i).setSizePolicy(QSizePolicy.Preferred, QSizePolicy.Preferred)
            else:
                self.tw.widget(i).setSizePolicy(QSizePolicy.Ignored, QSizePolicy.Ignored)

    def myOtherFunction(self):
       etc etc etc

And in your initialization associate it with a tab change event:

self.tw = QTabWidget()
        self.tw.currentChanged.connect(self.curTabChange)

Remember to call self.curTabChange(0) probably too once you load tabs.

AtMega Card (Funcard) SmartCard Programming & Fuse Setup

I recently got an Atmel AtMega163-based smartcard for some side channel experiments, along with a SASEBO-W board. I owe a debt of thanks to Cryptography Research Inc. & Sakura for setting all that up!

Anyway I also got a normal smartcard reader, and wanted to experiment with programming the card & using it in a reader. I’m using SOSSE for these experiments.

It’s worth nothing these cards are pretty old now! They were used a bunch in the hayday of satellite hacking… I don’t know if that’s still going on, but you might be able to pick some up pretty easy. The AtMega163 processor itself was EOLd in 2002 (10 years ago!!), so I’m also sceptical if there are any new ones made. Note you can use any AVR & program it with the SOSSE code, the SmartCard is just a form factor.

Internally, the SmartCard has this schematic:
Image

The pinout of the card contact is looking AT the card. The easy way to figure it out is look for the GND contact, note how it covers the middle part.

What this means is you can use any old AVR programmer. I had a JTAG2 so could use that in ISP mode, although you can find an http://www.makomk.com/2010/02/04/arduino-based-funcard-programmer/|Arduino based Funcard Programmer] too. Remember you can use any AVR programmer that supports the Mega163 (more on this later). Your normal AVR programmer probably has a 6-pin or 10-pin header, so you just map between them.

Note you also need a clock! This is besides the SCK pin – you also need to provide a fast clock into the ‘CLK’ pin. If you have another AVR around program the ‘CLKOUT’ fuse & take the clock on the output pin, that is by far the easiest. Or you can use the timer to generate an output pin (see the Arduino programmer, it does that). Alternatively if you have an AVR with a crystal, you can pick off the XTAL2 (not XTAL1) pin and feed that in. Here is a photo of my setup… I’m using the SASEBO-W board for power. I’ve fed an external clock in (it does provide a clock, but I tri-stated it because I needed the IO lines tri-stated too) from an AVR using the XTAL2 trick. Finally you can see the cable to the programmer:
Image

So what software to program with? avrdude claims to support the Mega163, so you could use that. Although my tests showed it did not work – FLASH couldn’t be verified, and the fuses didn’t read properly (not good – if SafeMode asks you to change fuses back say NO!).

AVRStudio doesn’t support the Mega163. BUT – you can use the Mega363, which is essentially the same part. I used AVR Studio 4 for my programming & verification… worked perfect! Programmed both Fuses & FLASH.

One final problem: my SCR335 card reader didn’t recognize the smartcard. It turns out the default fuses have the clock mode as “Crystal Oscillator, Slowly Rising Power” (see Fuses tab in AVR Studio). While the SmartCard Specs say the Answer To Reset (ATR) needs to occur 400-40000 cycles after the SmartCard reader resets the card & starts the clock. At 67mS delay, that is 268000 cycles! So the SmartCard reader doesn’t even see the ATR, it’s given up already. You need to change the fuse to ‘fast rising power’. I also switched it to ‘Ext. Clock’, as it’s technically the correct option since you don’t have a crystal oscillator (e.g.: you don’t need the XTAL2 output).
Image

Good Luck!

Getting started with GIT Revision Control

Revision Control is the most critical part of any project involving files. Otherwise you end up with tons of directories, and naming schemes like “report_final2_june.docx” along with 20 other copies.

This is best described in this 20-min clip. Sorry it’s a little long, but there is a fair amount to cover:


You can download the slide set:
Slide Set
For your reading pleasure, here are the highlights. I’ve linked to the exact moments of interest in the video rather than retype stuff I describe in the video.

What is GIT

Git is a revision control manager. Briefly, it lets you see how things changed and track those changes. Even better, it lets you do tasks like create a “branch” of the source code. You can switch back and forth between branches to deal with issues like wanting to rewrite sections of the code, while still being able to get back to the last good ‘release’ copy.
Show Me Branching

Getting stated on Your Computer

You can use GIT on any folder! It’s dead simple to do, and handy even if you will never commit things to the web. Doing so requires a few steps:

  1. Create a repository locally Show Me
  2. Commit initial fileShow Me
  3. Commit changes Show Me
  4. Do other stuff (branching, merging, etc) Show Me

Using Real Repositories

To use real remote repositories, you need a server to host them. I recommend assembla.com or bitbucket.org . bitbucket.org provides more storage, more users for free, and unlimited project sizes for university-based projects. Both are pretty cheap for commercial projects.

You want to configure a SSH key. Doing so requires four steps:

  1. Generate the key Show Me
  2. Set the key up on assembla/bitbucket Show Me
  3. Set the key up on git Show Me
  4. Set the key up to always be loaded Show Me

High-Speed ADC with Variable Gain Amp Input

Here is an ongoing project: it’s a high-speed ADC combined with some nice input preprocessing (amplifier). It’s all controlled by a FPGA on the Avnet LX9 Microboard, so it just plugs into that. Here is a simple python app (still being improved) to control it:
Image

Still need to measure analog BW to see how my layout stood out…

Metcal MX-500P Soldering Station Review & Repair

For some time I’ve been using a METCAL soldering station. I picked mine up used on E-Bay, as they are expensive new.

They have phenomenal heat transfer ability – they use RF energy to transfer heat right to the tip. It means you can go from soldering a 0402 capacitor to desoldering an entire SMA connector with the same tip, and it all works perfectly.

There is a few “must” tools for anybody deeply involved in electronics. The Metcal soldering station is very high on that list. Simply put you are wasting your time with a normal soldering station. I previously used a fairly good soldering station – ceramic heater element, good temp control, etc. The Metcal is still just that much better.

Here are a few videos of it in action, showing SMA soldering only because that is something normally very difficult.

I also collected some technical documentation. I can’t seem to find the original source though, so the following is NOT FROM ME, but I don’t know who credit goes to. If you know the original source let me know & I’ll credit it. All the links I’ve found are too recent – I originally found it several years ago.

Getting the security torx bolts out is difficult. Once you remove them I highly suggest replacing them with normal 8-32 1/4″ stainless steel pan-head machine screws. Because they are so recessed a normal universal screwdriver doesn’t fit down – I had to grind down mine to fit in the recess. I eventually ended up drilling out one bolt because it was stripped. In retrospect I would have just drilled all the four corner bolts out & would have been easier.

I blew a fuse soldered onto the PCB a few times. Once for unknown reasons, once because I tried to use the Metcal with an inverter, which the transformer-input didn’t like at all.

The documentation is mirrored in PDF form here: MX-500 Technical Reference including Schematic & PCB Information

I have also copied the text below:


METCAL MX-500P-11 TECHNICAL DOCUMENTATION

This documentation was carefully reverse engineered from several actual MX-500P units, and although it has been meticulously triple checked, it may contain errors and omissions so use it at your own risk. It is provided solely for the purpose of helping you satisfy your personal curiosity about how a Metcal MX-500P works, and you must
never use it for any other purpose, especially not for any commercial or business purpose, and certainly not as an aide to experimenting with or performing work on MX-500P units, as it is inadequate for such unintended use. Reproduction is strictly forbidden. (Note from editor: I’m not original author so cannot comment on reproduction)

MECHANICAL DESCRIPTION:

The small plastic cover at the two RF output connectors is held in place by it’s two plastic hooked clips which descend into the aluminum housing at the top and bottom. Beneath this plastic cover are two hex nuts that bolt the RF connectors to the aluminum housing. The RF connectors are soldered directly into the circuit board. On the rear of the MX-500P are four deeply recessed T15 tamper proof Torx screws which hold the two halves of the aluminum casting together. Loosening the single screw in the upper-middle back of the MX-500P by a few turns releases the internal heat sink which is attached to the circuit board. The internal heat sink couples heat into the MX-500P aluminum case from where it can dissipate into the ambient air. Good thermal coupling between the internal heat sink and the case is aided by a thin coating of white thermal compound. The circuit board inside the MX-500P is fastened down by six internal screws, four of which are rather large because they also hold down the line transformer. The tiny grub screw on the upper right hand side of the MX500 controls the Auto Sleep feature and should not be tightened past the point where it gently activates the switch. Note that it can be dangerous to power up an MX-500P unit that has been taken apart or that has been reassembled by anyone other than an trained Metcal service technician.

DESCRIPTION OF FUNCTION:

The MX-500P Power Unit provides RF energy at 13.560MHz to the
Soldering Tip Cartridge, which contains an induction heater consisting of an 18 turn AWG33 wire coil wound around a 0.11″ diameter by 0.5″ long slug. The slug is composed of a copper core, clad in a thin magnetic alloy having a curie point equal to the desired soldering tip temperature. The magnetic alloy absorbs RF energy from the coil, causing the slug to heat up until the curie temperature is reached. At this point absorption stops and heating ceases, because the RF energy is now reflected back to the power unit by the copper core.

The On/Off switch atop the power unit controls the 18V power supply U8, which runs all the supervisory circuits. When the 18V supply is off, Q6 turns off thereby causing Q7 to turn on and disable the RF generator.

Q5 and Q8 control a small DC bias voltage out to the soldering hand piece, so that U2a can sense an intermittent or disconnected hand piece cable, in which case the yellow LED DS2 will light and U2b will latch Q7 on, thereby disabling the RF generator until the On/Off switch is cycled.

U5a senses small changes in RF generator output power to the
soldering hand piece. If no changes are detected for half an hour then sleep mode timer U6 times out causing U7 to latch Q11 on, thereby disabling the RF generator until the On/Off switch is cycled. This functionality can be disabled by backing out the tiny grub screw in the upper right side of the unit.

If thermal switch TS1 detects an over temperature condition inside the power unit then Q9 will turn on and disable the RF generator until the temperature drops back down to normal.

If Forward Power at T3 and C33 exceeds reasonable limits due to a fault in the power unit circuitry, then Q19 will turn on and disable the RF generator until Forward Power returns to acceptable levels.

U5b monitors the supervisory circuits and lights green LED DS1 if everything is OK, in which case Q12 will be on, enabling U4 to power up the RF generator.

U1 provides a 13.560MHz square wave out to class C driver stage Q3, which in turn drives the class C final output stage Q4, providing RF power to the soldering hand piece. Note that Q3 is unusual in that it has an input capacitance of only 55pF and a gate threshold voltage of only 1.6V.

Diodes D8 and D9 sense the RF voltage level coming out of the RF generator, providing negative feedback to switching power supply U4 Q1 Q2, which powers the final RF output stage Q4 of the RF generator.

J1 provides a DC voltage which is proportional to the power being delivered to the hand piece. It can be connected to an analog meter movement or other measuring instrument.

TRIMPOT DESCRIPTIONS:

RV2 adjusts the RF-Output-Power delivered to the hand piece; if this adjustment is incorrect then the voltage at C8 will likely not correspond to the values given elsewhere in this document.

RV1 sets the Forward-Power-Fault safety shutdown circuit trip point; if this adjustment is incorrect then the voltage at C16 will likely not correspond to the values given elsewhere in this document.

RV3 calibrates the signal out to any Meter connected at J4; the signal at J4 is not normally used so it is hard to imagine how this adjustment could have any impact upon the operation of the unit.

Calibration is well beyond the scope of this document and must not be attempted by anyone other than a qualified Metcal service technician.

MEASUREMENTS FROM SOME GOOD WORKING UNITS:

Whenever unit is plugged into the AC line:

  • Voltage at C2 will measure approximately 26 VDC
  • Voltage at C6 will measure approximately 53 VDC

Whenever the power switch is on and unit is plugged in:

  • U8 pin 3 will measure 18 VDC
  • U7 pin 14 will measure 12 VDC

Whenever a hand piece is connected and the green LED is lit:

  • U4 pin 4 will measure 1.3 VDC
  • U4 pin 5 will measure 0.0 VDC

If the green LED is extinguished but the unit is plugged in:

  • U4 pin 5 will measure 26 VDC

Whenever the hand piece is idling hot in the stand:

  • Voltage at C8 will measure between 17 and 18 VDC
  • Voltage at C3 will measure between 14 and 15 VDC
  • Voltage at C16 will measure approximately minus 1.2 VDC
  • U1 pin 14 will measure approximately 4.8 VDC
  • U1 pin 4 will have a 13.56 Mhz waveform approximately 2.8 Vpp

When the soldering hand piece is heating up from a cold start:

  • Voltage at C8 may temporarily rise as high as 21 VDC
  • Voltage at C16 may temporarily rise as high as minus 0.22 VDC

When the hot hand piece is touched to something cold:

  • U5 Pin 1 will pulse high momentarily

Characteristics of a cold MX Soldering Tip Cartridge:

  • Inductance at 1kHz is somewhere around 2.8 uH
  • DC resistance is fairly close to 0.21 ohms

 

Avnet Spartan-6 LX9 Board: Or How ChipScope is your Saviour

I was recently working on a project which needed more gates than I had in my trusty current FPGA Board (Spartan3-200 on DLP-FPGA-HS). I quickly found the Avnet Spartan 6 LX9 board (AES-S6MB-LX9-G), which I could buy for $90 and have here in a few days. It also comes with a license for SDK for ChipScope, as it’s designed for experimenting with on-FPGA processors. It doesn’t have a full EDK license so you are a little limited in peripherals…

But for my project I didn’t care about that. I was however interested in ChipScope Pro, having used it previously at a job. This quick post will show you how valuable it can be – the license included with the LX9 board is “device locked” and will only work with XA6SLX9 parts. ChipScope Pro is not normally licensed as part of WebPack so the $90 board is a great deal when you consider the licensing cost.

My normal FPGA debugging, beyond Verilog testbenching, is to use a LogicPort on some spare IO lines. This works well – the LogicPort has a very high sampling rate (200MHz external, 500MHz internal). But it requires a physical connection, which requires a lot of IO pins. I was hoping ChipScope could eliminate this problem.

There is two cores of interest: the Integrated Logic Analyser (ILA) core, and the Virtual IO (VIO) core. They are both controlled by the Integrated Controller (ICON) core. You can only have one ICON, but it can control up to a number of ILA/VIO cores.

The VIO core gives you a virtual dashboard, where you can toggle bits and see results. This is pretty handy for validating/playing with cores to check they function as intended. Here I am checking a UART core from fpga4fun.com:


ChipScope Pro VIO

Note the VIO core doesn’t provide buffering, so data is transferred over the JTAG. This limits your polling speed of course, but makes it easy to play with things. It does let you define pulse trains or single pulses if you have special timing requirements on e.g.: load lines, as I had here.

The ILA core is strictly input. But it connects to BRAMs on-board the device, meaning you can buffer a fair amount of data. Since it’s all on-device the speed is basically limited by similar constraints to the rest of your design. Of course if you already have a packed chip you might not be able to spare any BRAMs…

Here I am debugging a state machine, note you how can even define ‘tokens’ so it decodes the states correctly:


ChipScope Pro ILA

 

So the combination of ChipScope ILA + VIO I’m hoping will make designs go by a lot faster.

Springer / SpringerLink MyCopy Review

Recently I was using an e-book I had access to through my school’s subscription to Springer. They advertised a ‘MyCopy’ service, which gives you a printed copy of the e-book for $25 including shipping http://www.springer.com/mycopy. I couldn’t find a review of the printing quality anywhere so though I’d post one quickly…

The actual copy would be $98 for softcover or $103 for hardcover. The trick with MyCopy is you can only order it assuming you have access to the e-book: thus you have a license to print a physical copy, and springer is just printing what you already are licensed for.

Anyway it looks good: colour wrap-around cover, B&W inside. Print quality is good – black is very “black”, although noticeably shiny. Paper seems bright and weight OK. As far as print on demand (POD) it’s great – better than I was expecting for $25. It’s lower quality than a real offset-print textbook, but it’s pretty close, better than other POD I’ve had. I recently bought a “real” book from the ‘Missing Manual’ series, which is apparently using POD for some books. The “real” book I got is far lower quality than the Springer MyCopy, so should give you some idea for comparison. The Springer MyCopy I got was printed in USA as well.

Some images (click for full resolution):

Front Cover:


MyCopy Example Cover

 

Binding Detail:


Image

 

Text close-up, white-looking areas are shiny reflections:


Image

 

Binding can be pushed down and lay somewhat flat without breaking:


Image