Toolkit for AT90SC3232c, 6464c and 7272c Smartcards

Version 6

There is nothing in this package alone that will allow you to get free TV.
We do not condone the use of this information for any illegal activity.
Information is freely given here for personal private use only.
It is not to be sold, nor used in software for any proprietry hardware device.
Use at your risk. We will not be responsible for any damaged caused.
We will not support any user applications.

Q1. What can I do with this package?

1. You can decrypt and encrypt applications for Opos 103/4, Titanium 2.01 and Wildcard cards.

2. You can convert applications that were written for one of these platforms to be used on the other.

3. You can erase the Operating System from

(3232c) Titanium 1.03 and 1.06

(6464c) Daytona 01
Didem 1.07
Knotcard BL1.4
M -II
Opos 103 (NOT 104 or 105),
Platinum cards with conax application (use the MII scripts)
Titancard 2
Titanium 2.01
Wildcard

(7272c) Daytona 02

........and restore the cards to virgin status.

4. You can load a new OS to a virgin or blank Atmel AT90SC3232c, AT90SC6464c or AT90SC7272c smartcard.

For 3232c use only

Titanium 1.03
Titanium 1.03

For 6464c use only

Cerebro 101
Didem 1.07
Knotcard 1.4
Knotcard 2.0
MII
Opos 103
Opos 104
Opos 104_erasable
Opos 105
Platinum
Titancard 2
Titanium 2.01

We do not advise that you use Opos 104, Opos 105 or Cerebro 101 as they have extra security checks and can NOT be erased.
However, you can use the Erasable version (opos104_erasable_OS.bin).

For 7272c use only

Daytona 01
Daytona 02.
You must use the Daytona OS 02 on 7272c cards only. It will kill a 6464c card.

You can, of course, load your own application, correctly compiled, for each respective card chip type.



5. You can erase applications from Opos 103/4/5, Cerebro, K3, Titanium 2, Wildcard and Daytona/Didem cards. Use Erase_XXX_App.xvb

6. You can read the Transport Codes from Opos 103, Titanium 2 and Platinum & MII cards. Use the appropriate XXX_Get_TC.xvb script. Some cards (Opos/Titanium) take a bit of effort to get back the normal ATR . If you cannot get an ATR, try and use "Erase" or "Identify" on one of the Opos/Titanium loaders. If you do not need to know the TC it is safer not to use this option.

7. You can test if the Opos 103 or Titanium 2 cards are genuine. Use XXX_Check_SN.xvb. If they are not, you can erase them and then re-write with a genuine OS bin file.

8. You can test that an application you are intending to use on Opos 103/4 or Titanium 2 is not a "card killer". Use TitaniumHack.exe.

9. You can erase an application, restore the OS and then write a new application to a K3 card. Use K3_App_loader_v5.xvb. The K3 card cannot be virginised.

================================================== ==========================================

Q2. What can I NOT do with this package.

1. Anything to do with Opos 105, Cerebro, K3, Gamma or Anaconda cards (other than erase applications from the first three).

2. Anything for other old cards from the AT90SC6464c family (such as, Titanium 2.02, TitaniumElite etc). We need samples of old cards for testing.


Q3. What do I need.

1. TitaniumHack.exe. You can get the latest version from here [Değerli Ziyaretci, linki görmeniz icin bu mesaja cevap yazmanız gerekiyorÜye olmak icin burayı tıklayınız] Latest version is now 1.16.

2. A Phoenix interface at 3.579Mhz.

3. WinExplorer.exe. It is recommend you use version 5.00 or higher.
Most of the scripts in this package will set the correct settings for you if you have a newish version of WinExplorer (>=v4.6).
However, as a default use these settings:-

[AT90SC6464c]
BaudRate=9600
ResetBaudRate=9600
ResetDelay=2000
ByteDelay=2000
RxByteTimeout=400
Parity=2
StopBits=2
FlushBeforeWrite=1
FlushEchoByte=1
DTRControl=1
RTSControl=0
ResetMode=1
IgnoreTimeouts=0
ResetAfterTimeout=0
ResetLine=0
LogTransactions=0
DisplayUSW=0
DisplayFuse=0
ByteConvention=1

Q4. How do I change a Titanium 2 Application to work on an Opos card (or vice versa)?

1. Start TitaniumHack.exe and select the cardtype you want to change from.
2. In the Decrypt section, load the three files of the application you want to change from - CryptedApp.hex, CryptedApp.EEP, and CryptKey.hex.
3. Press "Decrypt".
4. Then press "Modify". It should tell you what format the files is for and if you want to change it.
5 Select "Yes"
6. Then save the Plainflash.hex and PlainEEp.eep files, changing the name to indicate exactly what they are for.
7. Next go to the "Encrypt" section and load the Plainflash.hex and PlainEEp.eep files you have just created. You probably will not have a CryptKey for the new format so just let the program make one for you.
8. Now save the three files created - CryptedFlash.hex, CryptedEEp.eep and CryptKey.hex. Change the names slightly so you know what they are for.
9. Now you have the option of creating a WinExplorer script to load the three new files to you card. However, this is a bit slow so you may prefer to use a dedicated loader program instead.
10. If the files you have created, or have selected to load, are a potential "card-killer" - you will be warned.


Q5. How do I restore the card to virgin status and re-write my Opos 103 or Titanium 2 card with a genuine OS?

1. First erase any application on the card using the appropriate Erase_XXX_App.xvb script.

2 Run the appropriate XXX_Virginize.xvb script. Reset once, to read the cards Transport Code. You will need this to write a new OS, if it is anything other than the default :-

43 43 35 54 32 44 35 00 ; CC5T2D5.

..... make a note of it.

3. Wait about twenty seconds to allow the process to run before reseting again (Analyse ATR).

You should now see the Atmel Bootloader Virgin ATR something like this :-

ATR: 3B 7F 14 00 00 00 6B 01 0D 03 54 64 13 18 19 28 03 05 90 01
The numbers in red are the Atmel Serial Number. The vary from card to card. Make a note of these for your card.

4. To make a genuine clone, copy these eight bytes into the last eight bytes of the OS of your choice (Titanium2.bin or Opos103.bin).
Replace the "DEAD BEEF DEAD BEEF" using a hex editor (such as UltraEdit or HexWorkshop).

5. Now select the Load_OS_to_virgin_6464c.xvb into WinExplorer. Change the Transport Code (if you need too - this is unlikely) and run the script. When it asks for a *OS.bin file select the OS bin file that you want to load. We recommend that you DO NOT use the standard Opos104_OS. If you want Opos 104 use the Erasable version. Opos105 and Cerebro cannot be virginised either.
6. When the script finishes you should see the card's new ATR.

7. You can test if the card is a "genuine" clone by running the appropriate XXX_Check_SN.xvb. If the Card SN matches the Atmel SN then it is correct.
If not, you can do it all again.
N.B. Some of the encrypted Serial Numbers produced in the ATR may cause WinExplorer to crash, as it tries to interpret the invalid ATR. You may get a "divide be zero" error. Do not worry, just restart WinExplorer and reset the card to return to normal ATR.

Q6. How do I return my Knotcard 1 (with bootloader1.4) or Knotcard 2 (with bootloader 2.0) to virgin status?
1. First make sure any OS or application is erased from the card. Use either KCLoader04.exe or KCLoader10.exe to do this.
2. Load WinExplorer and run Knotcard_BLXX_virginzer.xvb
3. If the card is correct you will then be asked to select the *erase.bin. Follow the instructions given in the script output. The Transport Code is not important for loading a new OS.

Q7. How do I return my Titancard 2 to virgin status?
1.First make sure that is has the latest OS2.8 installed and no application. Use "Titancard Tool 1.18" to do this.
2. Load WinExplorer and run Titancard2_virginzer.xvb. You get the option of dumping the original OS to make a backup if you wish. Follow the instructions given in the script output.

Q8. How do I re-install the Titancard OS?
1 After you have run the Load_OS_to_virgin_6464c.xvb and selected the Titancard2_OS.bin, you must then initialize the card.
You do this by erasing the OS with Titancard Tool 1.18. Press "Kill OS" and then reload the OS2.8. In other words, the OS must be loaded twice.

Q9. How do I install the MII or Platinum OS?
1 After you have run the Load_OS_to_virgin_6464c.xvb and selected the MII_OS.bin or Platinum_OS.bin, you must then initialize the card and update the OS.
First you will see something like
ATR: 3B 16 18 03 11 02 01 02 02
which could crash WinExplorer. Then run M-II.exe to load the MII application to the card. You should then see the conax ATR
ATR: 3B 24 00 30 42 30 30

Q10. How do I return my Daytona 7272c to virgin status?
1. You may need to load any old application to the card using DaytonCharger1.03d.exe to update the OS to v 0002 (AU version) - 7272c cards only.
2. Next "Restore" the card using DaytonCharger1.03d.exe.
Ensure the starting Daytona ATR is
ATR = 3B 9E 18 11 81 20 6A 44 2D 54 4F 4E 41 54 4F 52 1A 00 02 70
3. Finally run Daytona_OS_02_7272c_Virginizer.xvb using WinExplorer. You should then get a virgin 7272c card with an ATR such as

ATR :3B 7F 11 00 00 00 6B 1A xx xx xx xx xx xx xx xx 04 00 90 03


Q11. How do I return my Daytona OS v01 to virgin status?

If it is a 7272c card then update the OS to v02 then proceed as above.

If it is a 6464c card then use the script Daytona_OS_01_6464c_Virginizer.xvb.

There are some timing issues with this OS on this 6464c card. This means that there could be odd errors. eg you may need to restart the script if the ATR
is not read correctly. If an error occurs later in the script then do a "Restore" using DaytonaCharger.exe and start again.


Q12. How do I install an OS to a virgin AT90SC7272c smart card?
Run the script Load_OS_to_Virgin_7272c.xvb. If it is a virginised Daytona card, then the TC is not important. (Authentication test is over-ridden)
However, if it is a brand new card then you must use the correct TC. Select the correct OS for a 7272c card when prompted eg daytona_02_OS.bin.
Occasionally when the script is finished the ATR may be just "3B" or "no ATR".
If this happens run the script Didem _ATR_restorer.xvb (or "Restore" in DaytonaCharger.exe) and pull and replace the card until you see the ATR.

Q13. How do I virginise a Didem card?
1. Make sure the OS is 1.07 then run the Make_Didem_Virgin_v2.1.xvb script. This over-rides the Authentication test of the Transport Code.
2. If a previously virginized Didem card has become blocked (wrong TC three times after using Make_Didem_Virgin_v2.xvb) then use Load_OS_to_blocked_virginized_6464c.xvb to load a new OS.

Q14. What can I do with my Titanium 1 card?
Read the relevent readme files in the "Titanium 103 & 106 Scripts" folder.

Credits
All the information contained in this package was determined by some great Team-Work, involving
(in alphabetical order):-
Atlas, Bit5, Colibri, John Doe, Reversi, Satconnect and others. Also thanks to ANonERaser

007.4

UPDATES
Version 1. 24/02/2006
Version 2. Modifed 25/02/2006 to add Erasable version of Opos 104 OS and associated Opos104erasable_Virginize.xvb script
Version 3. Modified 28/02/2006 to add MII_EraseOS_method2.xvb. Changed some script names and converted them to latest versions. New TitaniumHack.exe 1.15.
Version 4 Modified 7/3/2006 to add support for Knotcard and Titancard2. Optimized some scripts.
Version 5. Modified 23/09/2006 to add new *_OS.bin files and updated some scripts. Also added K3 scripts.
Version 6. Modified 11/11/2007 to add new *_OS.bin files and updated some scripts (eg New OS Loaders and bootloader changes on Knotcard virginise scripts).
Also added Didem, Daytona, Titanium 1 and Wildcard scripts. Special thanks to Bit5 for some updated code.
[Değerli Ziyaretci, linki görmeniz icin bu mesaja cevap yazmanız gerekiyorÜye olmak icin burayı tıklayınız]