I recently got an Atmel AtMega163-based smartcard for some side channel experiments, along with a SASEBO-W board. I owe a debt of thanks to Cryptography Research Inc. & Sakura for setting all that up!
Anyway I also got a normal smartcard reader, and wanted to experiment with programming the card & using it in a reader. I’m using SOSSE for these experiments.
It’s worth nothing these cards are pretty old now! They were used a bunch in the hayday of satellite hacking… I don’t know if that’s still going on, but you might be able to pick some up pretty easy. The AtMega163 processor itself was EOLd in 2002 (10 years ago!!), so I’m also sceptical if there are any new ones made. Note you can use any AVR & program it with the SOSSE code, the SmartCard is just a form factor.
Internally, the SmartCard has this schematic:
The pinout of the card contact is looking AT the card. The easy way to figure it out is look for the GND contact, note how it covers the middle part.
Note you also need a clock! This is besides the SCK pin – you also need to provide a fast clock into the ‘CLK’ pin. If you have another AVR around program the ‘CLKOUT’ fuse & take the clock on the output pin, that is by far the easiest. Or you can use the timer to generate an output pin (see the Arduino programmer, it does that). Alternatively if you have an AVR with a crystal, you can pick off the XTAL2 (not XTAL1) pin and feed that in. Here is a photo of my setup… I’m using the SASEBO-W board for power. I’ve fed an external clock in (it does provide a clock, but I tri-stated it because I needed the IO lines tri-stated too) from an AVR using the XTAL2 trick. Finally you can see the cable to the programmer:
So what software to program with? avrdude claims to support the Mega163, so you could use that. Although my tests showed it did not work – FLASH couldn’t be verified, and the fuses didn’t read properly (not good – if SafeMode asks you to change fuses back say NO!).
AVRStudio doesn’t support the Mega163. BUT – you can use the Mega363, which is essentially the same part. I used AVR Studio 4 for my programming & verification… worked perfect! Programmed both Fuses & FLASH.
One final problem: my SCR335 card reader didn’t recognize the smartcard. It turns out the default fuses have the clock mode as “Crystal Oscillator, Slowly Rising Power” (see Fuses tab in AVR Studio). While the SmartCard Specs say the Answer To Reset (ATR) needs to occur 400-40000 cycles after the SmartCard reader resets the card & starts the clock. At 67mS delay, that is 268000 cycles! So the SmartCard reader doesn’t even see the ATR, it’s given up already. You need to change the fuse to ‘fast rising power’. I also switched it to ‘Ext. Clock’, as it’s technically the correct option since you don’t have a crystal oscillator (e.g.: you don’t need the XTAL2 output).
Revision Control is the most critical part of any project involving files. Otherwise you end up with tons of directories, and naming schemes like “report_final2_june.docx” along with 20 other copies.
This is best described in this 20-min clip. Sorry it’s a little long, but there is a fair amount to cover:
You can download the slide set: Slide Set
For your reading pleasure, here are the highlights. I’ve linked to the exact moments of interest in the video rather than retype stuff I describe in the video.
What is GIT
Git is a revision control manager. Briefly, it lets you see how things changed and track those changes. Even better, it lets you do tasks like create a “branch” of the source code. You can switch back and forth between branches to deal with issues like wanting to rewrite sections of the code, while still being able to get back to the last good ‘release’ copy. Show Me Branching
Getting stated on Your Computer
You can use GIT on any folder! It’s dead simple to do, and handy even if you will never commit things to the web. Doing so requires a few steps:
To use real remote repositories, you need a server to host them. I recommend assembla.com or bitbucket.org . bitbucket.org provides more storage, more users for free, and unlimited project sizes for university-based projects. Both are pretty cheap for commercial projects.
You want to configure a SSH key. Doing so requires four steps:
Here is an ongoing project: it’s a high-speed ADC combined with some nice input preprocessing (amplifier). It’s all controlled by a FPGA on the Avnet LX9 Microboard, so it just plugs into that. Here is a simple python app (still being improved) to control it:
Still need to measure analog BW to see how my layout stood out…
For some time I’ve been using a METCAL soldering station. I picked mine up used on E-Bay, as they are expensive new.
They have phenomenal heat transfer ability – they use RF energy to transfer heat right to the tip. It means you can go from soldering a 0402 capacitor to desoldering an entire SMA connector with the same tip, and it all works perfectly.
There is a few “must” tools for anybody deeply involved in electronics. The Metcal soldering station is very high on that list. Simply put you are wasting your time with a normal soldering station. I previously used a fairly good soldering station – ceramic heater element, good temp control, etc. The Metcal is still just that much better.
Here are a few videos of it in action, showing SMA soldering only because that is something normally very difficult.
I also collected some technical documentation. I can’t seem to find the original source though, so the following is NOT FROM ME, but I don’t know who credit goes to. If you know the original source let me know & I’ll credit it. All the links I’ve found are too recent – I originally found it several years ago.
Getting the security torx bolts out is difficult. Once you remove them I highly suggest replacing them with normal 8-32 1/4″ stainless steel pan-head machine screws. Because they are so recessed a normal universal screwdriver doesn’t fit down – I had to grind down mine to fit in the recess. I eventually ended up drilling out one bolt because it was stripped. In retrospect I would have just drilled all the four corner bolts out & would have been easier.
I blew a fuse soldered onto the PCB a few times. Once for unknown reasons, once because I tried to use the Metcal with an inverter, which the transformer-input didn’t like at all.
This documentation was carefully reverse engineered from several actual MX-500P units, and although it has been meticulously triple checked, it may contain errors and omissions so use it at your own risk. It is provided solely for the purpose of helping you satisfy your personal curiosity about how a Metcal MX-500P works, and you must
never use it for any other purpose, especially not for any commercial or business purpose, and certainly not as an aide to experimenting with or performing work on MX-500P units, as it is inadequate for such unintended use. Reproduction is strictly forbidden. (Note from editor: I’m not original author so cannot comment on reproduction)
The small plastic cover at the two RF output connectors is held in place by it’s two plastic hooked clips which descend into the aluminum housing at the top and bottom. Beneath this plastic cover are two hex nuts that bolt the RF connectors to the aluminum housing. The RF connectors are soldered directly into the circuit board. On the rear of the MX-500P are four deeply recessed T15 tamper proof Torx screws which hold the two halves of the aluminum casting together. Loosening the single screw in the upper-middle back of the MX-500P by a few turns releases the internal heat sink which is attached to the circuit board. The internal heat sink couples heat into the MX-500P aluminum case from where it can dissipate into the ambient air. Good thermal coupling between the internal heat sink and the case is aided by a thin coating of white thermal compound. The circuit board inside the MX-500P is fastened down by six internal screws, four of which are rather large because they also hold down the line transformer. The tiny grub screw on the upper right hand side of the MX500 controls the Auto Sleep feature and should not be tightened past the point where it gently activates the switch. Note that it can be dangerous to power up an MX-500P unit that has been taken apart or that has been reassembled by anyone other than an trained Metcal service technician.
DESCRIPTION OF FUNCTION:
The MX-500P Power Unit provides RF energy at 13.560MHz to the
Soldering Tip Cartridge, which contains an induction heater consisting of an 18 turn AWG33 wire coil wound around a 0.11″ diameter by 0.5″ long slug. The slug is composed of a copper core, clad in a thin magnetic alloy having a curie point equal to the desired soldering tip temperature. The magnetic alloy absorbs RF energy from the coil, causing the slug to heat up until the curie temperature is reached. At this point absorption stops and heating ceases, because the RF energy is now reflected back to the power unit by the copper core.
The On/Off switch atop the power unit controls the 18V power supply U8, which runs all the supervisory circuits. When the 18V supply is off, Q6 turns off thereby causing Q7 to turn on and disable the RF generator.
Q5 and Q8 control a small DC bias voltage out to the soldering hand piece, so that U2a can sense an intermittent or disconnected hand piece cable, in which case the yellow LED DS2 will light and U2b will latch Q7 on, thereby disabling the RF generator until the On/Off switch is cycled.
U5a senses small changes in RF generator output power to the
soldering hand piece. If no changes are detected for half an hour then sleep mode timer U6 times out causing U7 to latch Q11 on, thereby disabling the RF generator until the On/Off switch is cycled. This functionality can be disabled by backing out the tiny grub screw in the upper right side of the unit.
If thermal switch TS1 detects an over temperature condition inside the power unit then Q9 will turn on and disable the RF generator until the temperature drops back down to normal.
If Forward Power at T3 and C33 exceeds reasonable limits due to a fault in the power unit circuitry, then Q19 will turn on and disable the RF generator until Forward Power returns to acceptable levels.
U5b monitors the supervisory circuits and lights green LED DS1 if everything is OK, in which case Q12 will be on, enabling U4 to power up the RF generator.
U1 provides a 13.560MHz square wave out to class C driver stage Q3, which in turn drives the class C final output stage Q4, providing RF power to the soldering hand piece. Note that Q3 is unusual in that it has an input capacitance of only 55pF and a gate threshold voltage of only 1.6V.
Diodes D8 and D9 sense the RF voltage level coming out of the RF generator, providing negative feedback to switching power supply U4 Q1 Q2, which powers the final RF output stage Q4 of the RF generator.
J1 provides a DC voltage which is proportional to the power being delivered to the hand piece. It can be connected to an analog meter movement or other measuring instrument.
RV2 adjusts the RF-Output-Power delivered to the hand piece; if this adjustment is incorrect then the voltage at C8 will likely not correspond to the values given elsewhere in this document.
RV1 sets the Forward-Power-Fault safety shutdown circuit trip point; if this adjustment is incorrect then the voltage at C16 will likely not correspond to the values given elsewhere in this document.
RV3 calibrates the signal out to any Meter connected at J4; the signal at J4 is not normally used so it is hard to imagine how this adjustment could have any impact upon the operation of the unit.
Calibration is well beyond the scope of this document and must not be attempted by anyone other than a qualified Metcal service technician.
MEASUREMENTS FROM SOME GOOD WORKING UNITS:
Whenever unit is plugged into the AC line:
Voltage at C2 will measure approximately 26 VDC
Voltage at C6 will measure approximately 53 VDC
Whenever the power switch is on and unit is plugged in:
U8 pin 3 will measure 18 VDC
U7 pin 14 will measure 12 VDC
Whenever a hand piece is connected and the green LED is lit:
U4 pin 4 will measure 1.3 VDC
U4 pin 5 will measure 0.0 VDC
If the green LED is extinguished but the unit is plugged in:
U4 pin 5 will measure 26 VDC
Whenever the hand piece is idling hot in the stand:
Voltage at C8 will measure between 17 and 18 VDC
Voltage at C3 will measure between 14 and 15 VDC
Voltage at C16 will measure approximately minus 1.2 VDC
U1 pin 14 will measure approximately 4.8 VDC
U1 pin 4 will have a 13.56 Mhz waveform approximately 2.8 Vpp
When the soldering hand piece is heating up from a cold start:
Voltage at C8 may temporarily rise as high as 21 VDC
Voltage at C16 may temporarily rise as high as minus 0.22 VDC
When the hot hand piece is touched to something cold:
U5 Pin 1 will pulse high momentarily
Characteristics of a cold MX Soldering Tip Cartridge:
I was recently working on a project which needed more gates than I had in my trusty current FPGA Board (Spartan3-200 on DLP-FPGA-HS). I quickly found the Avnet Spartan 6 LX9 board (AES-S6MB-LX9-G), which I could buy for $90 and have here in a few days. It also comes with a license for SDK for ChipScope, as it’s designed for experimenting with on-FPGA processors. It doesn’t have a full EDK license so you are a little limited in peripherals…
But for my project I didn’t care about that. I was however interested in ChipScope Pro, having used it previously at a job. This quick post will show you how valuable it can be – the license included with the LX9 board is “device locked” and will only work with XA6SLX9 parts. ChipScope Pro is not normally licensed as part of WebPack so the $90 board is a great deal when you consider the licensing cost.
My normal FPGA debugging, beyond Verilog testbenching, is to use a LogicPort on some spare IO lines. This works well – the LogicPort has a very high sampling rate (200MHz external, 500MHz internal). But it requires a physical connection, which requires a lot of IO pins. I was hoping ChipScope could eliminate this problem.
There is two cores of interest: the Integrated Logic Analyser (ILA) core, and the Virtual IO (VIO) core. They are both controlled by the Integrated Controller (ICON) core. You can only have one ICON, but it can control up to a number of ILA/VIO cores.
The VIO core gives you a virtual dashboard, where you can toggle bits and see results. This is pretty handy for validating/playing with cores to check they function as intended. Here I am checking a UART core from fpga4fun.com:
Note the VIO core doesn’t provide buffering, so data is transferred over the JTAG. This limits your polling speed of course, but makes it easy to play with things. It does let you define pulse trains or single pulses if you have special timing requirements on e.g.: load lines, as I had here.
The ILA core is strictly input. But it connects to BRAMs on-board the device, meaning you can buffer a fair amount of data. Since it’s all on-device the speed is basically limited by similar constraints to the rest of your design. Of course if you already have a packed chip you might not be able to spare any BRAMs…
Here I am debugging a state machine, note you how can even define ‘tokens’ so it decodes the states correctly:
So the combination of ChipScope ILA + VIO I’m hoping will make designs go by a lot faster.
Recently I was using an e-book I had access to through my school’s subscription to Springer. They advertised a ‘MyCopy’ service, which gives you a printed copy of the e-book for $25 including shipping http://www.springer.com/mycopy. I couldn’t find a review of the printing quality anywhere so though I’d post one quickly…
The actual copy would be $98 for softcover or $103 for hardcover. The trick with MyCopy is you can only order it assuming you have access to the e-book: thus you have a license to print a physical copy, and springer is just printing what you already are licensed for.
Anyway it looks good: colour wrap-around cover, B&W inside. Print quality is good – black is very “black”, although noticeably shiny. Paper seems bright and weight OK. As far as print on demand (POD) it’s great – better than I was expecting for $25. It’s lower quality than a real offset-print textbook, but it’s pretty close, better than other POD I’ve had. I recently bought a “real” book from the ‘Missing Manual’ series, which is apparently using POD for some books. The “real” book I got is far lower quality than the Springer MyCopy, so should give you some idea for comparison. The Springer MyCopy I got was printed in USA as well.
Some images (click for full resolution):
Text close-up, white-looking areas are shiny reflections:
Binding can be pushed down and lay somewhat flat without breaking:
I’ve added a page on Turbo Coding, a subject I’m researching for a class at Dal. This includes a large presentation, links to reference material, and lots of MATLAB code based on CML. It’s still being updated but maybe you’ll find it useful/interesting as well.