This is addition to Stephane Bausson technical data file. How to read the response from Eurochip SLE4436 and SLE 5533 chips. 5V -> ____ <- more than 1uS | | Pulse CLK means: CLK pin 0V_____| |______ 5V -> ____ <- more than 5uS | | Pulse RST means: RST pin 0V_____| |______ 5V -> ______________ <- more than 5uS | | Make ATR means: RST pin 0V___| |_____ 5V -> _____ <- more than 1uS | | CLK pin 0V_______| |___________ 5V---\ /-----------\ /-------- previos bit X current bit X next bit Set (x)BIT means: I/O pin 0V___/ \___________/ \________ Now the algorithm for reading response: 1. Make ATR 2. Pulse CLK 110 times ( So that on I/O pin is 6 bit (from 0 to 7) ( from 13 byte (from 0 to 15)) 3. Pulse RST 4. Pulse CLK 5. Wait 10 uS 6. Pulse CLK 177 times 7. Set (first)BIT from challenge 8. Pulse CLK 9. Repeat step 7 and step 8 with (second,third,...48-th) bit of challenge. (Challenge is a 6 RANDOM bytes issued from the phone's SAM.) When you send last 48-th bit go to step 10. 10. Pulse CLK 160 times 11. Read I/O pin (At this moment you have first (or every next) bit from card response on I/O pin) 12. Repeat step 10 and step 11 untill the last 16-th bit is read. If you continue clocking, the card restores its normal condition. How to distingulish SLE 4436 by SLE 5533 chips -> On step 2 pulse 111 times to access 7 bit from 13 byte. If you read response chip is 5533, if not chip is 4436. Remember, there are different algorithms for 6-th and 7-th bit, and you will read different responses with same challenge. How the phone works: When card is inserted into slot, phone read card two times from address 0 to 15. Now from serial number phone's SAM calculate first ( and second ?) authentication keys. This is the time when you wait phone to recognize the card. It takes 3..4 seconds. Then phone send a random challenge and read response from card. Now SAM compute its response from serial number,authentication keys and units counter.Two responses are compared and if they are equal then SAM declares " YES this is a valid card ", if not.... After every used unit from card, phone repeat same procedure exept calculation of authentication keys. Warning: Response from all Eurochip cards is read by same way, BUT EVERY ISSUER MAY HAVE DIFFERENT ALGORITHM FOR CALCULATION OF 16 BIT RESPONSE!!! Each operator may has different SAM, but phones can consist many SAM's. For examle Intracom phones has 5 slots for SAM's and may read cards from 5 different operators.For examle Gemplus cards are differnet from Schlumberger cards. Now i don't know how card calculates response. The things i know is that every card has its own authentication keys that can not be read. The unit counter, authentication keys and serial number (may be?) are used in algorithm to produce 16 bit response. Algorithm is fully hardware based and uses a 48 bit moving register and only XOR or NXOR logic cells. Also card have three 9 bit, 6 bit, 5 bit counters with unknown function.