
                       :----------------------------:
                        Siemens Chip Card Technology

                       .        by Yggdrasil        .
                       :----------------------------:



  Chip cards differ from one another in memory size, type of memory (PROM or
EEPROM), security logic and micro-controller.  This article will discuss the
Siemens SLE4404 chip card technology.

  The SLE4404 is employed for electronic purse cards and bank transactions,
cellular telephony (pre-payed cards), user IDs for access control, etc. (some
examples: SmartCard, ViaCard and Italian Bancomat).  Its data can be accessed
through a simple TTL serial channel, providing a +5 Vcc power supply from an
external source.


 Inside the chip
 ~~~~~~~~~~~~~~~
  The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix
(each row is 16-bits) that is protected by security logic providing access 
control.

  This is the logic diagram:

                  +------------------------+     +------------------+
                  |     Address Counter    | --> |  Column Decoder  |
                  +------------------------+     +------------------+
                        ^             |                    | 16
                        |             v                    v
                  +-----------+  +---------+     +------------------+
 C3,C8,C2,C5  --> | Control & |  | Row     |     | User mem 208 bit |
 C1 (Vcc)     --> | Security  |  | Decoder | --> | Sec unit 192 bit |
 C7 (I/O)    <--> | Logic     |  |         | 26  | Special mem unit |
                  +-----------+  +---------+     +------------------+
                        ^                                  ^
                        |                                  |
                        +----------------------------------+

  The SLE4404 memory is subdivided in three main memory blocks: one is read
only (a "PROM" containing the manufacturer code and/or a serial number and
an expiration date), the second is both readable and writeable (user memory)
and the last block cannot be written to unless the lock-out fuse has been 
fused.

  This is the memory map:

  BLOCK TYPE         SIZE (BIT)   ADDRESS   READABLE   WRITEABLE   ERASEABLE
-----------------------------------------------------------------------------
 Manufacturer code       16          0-15     Yes         No           No
 Application ROM         48         16-63     Yes         No           No
 User code               16         64-79    [fuse]      U.C.         U.C.
 Error counter            4         80-83     Yes        Yes          U.C.
 EEPROM #1               12         84-95     Yes        Yes          U.C.
 EEPROM #2               16        96-111     Yes        U.C.         U.C.
 Frame memory block
 - F.M. config            2       112-113     Yes        Yes       U.C./R.C.
 - Frame memory         206       114-319    [cfg]      [cfg]      U.C./R.C.
 Frame code              32       320-351    [fuse]     [fuse]       [cfg]
 Frame counter           64       352-415     Yes        Yes         [cfg]
-----------------------------------------------------------------------------

  Meaning of abbreviations:

 U.C.   -  User code required
           (each time the code is entered the error counter is decreased)
 R.C.   -  Frame code required
           (each time the code is entered the frame counter is decreased)
 [fuse] -  Operation allowed ONLY IF lock-out fuse is not fused
 [cfg]  -  Operation allowed according to frame memory configuration

  Frame memory configuration table:

 BIT 112    BIT 113    MEMORY MODE    READABLE    WRITEABLE
-----------------------------------------------------------------------------
    0          0        Secret ROM      Yes           No
    0          1          R.O.M.        Yes           No
    1          0       Secret PROM      U.C.         U.C.
    1          1         P.R.O.M.       U.C.         U.C.
-----------------------------------------------------------------------------

  The first 16-bit block is for the Manufacturer Code.  The following 48-bit
block is called Application ROM, containing another code (Manufacturer sub
code or info, serial number, sub-type of card, etc).

  The User Code is the access code (PIN) used to read/write/erase memory.  
This code can be modified provided that the fuse was not fused, while the
error counter value can be modified even if the fuse was fused...

  Please note that access to memory is blocked after four incorrect access
trials (checked by the counter).  The same is for the Frame Code and the
Frame [error] Counter (note that the number of incorrect accesses is limited
to three trials instead of four).

  Finally, the Frame Memory is generally used for storing personal user
information or the credit limit (money that can be fetched in a bank 
transaction, or the remaining "virtual" credit that a pre-payed cellular card
contains).


 The Pin-out
 ~~~~~~~~~~~
  This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected):

+-------+-------------------+
|  C 1  |    C  5           |    Contact  Pin   Info
|       |                   |
+-------+           +-------+       1      6    Vcc +5V
|  C 2  |           |  C 6  |       2      5    Reset
|       |           |       |       3      4    Clock
+-------+           +-------+       4      3    Test input - N.C.
|  C 3  |           |  C 7  |       5      8    Ground
|       |           |       |       6      7    N.C.
+-------+           +-------+       7      1    Bi-directional I/O data line
|  C 4  |           |  C 8  |       8      2    Control input (data change)
|       |           |       |
+-------+-----------+-------+


--[ EOF ]
