Teardown & Reverse Engineering: Smart Card Reader (Images)

Recently a (quite wasteful) tax metering system upgrade generated loads of e-waste and a good source of dumpster diving. I scored a set of such tax metering hardware for PCs. I got the disused boards and peripherals, but not the computer itself.

I decided to check how much of the disused system I can repurpose and reuse in my own designs.

Insides of the card reader.

The system consists of a PCI card and a smart card reader. The system tracks every invoice the company issues and collect taxes based on that. Issuing invoices without such a system is a criminal offense.

PCI card part hunt

Benchmarq bq3287 RAMified RTC.
Benchmarq bq3287MT RAMified RTC chip.

The PCI card is full of ASICs so it is only good for scrapping parts. I demolished the board using a hot air gun and took all its reusable and valuable parts, a Benchmarq bq3287MT DS1287-compatible RAMified RTC in DIP-24 package (quite hard to find now, and quite expensive also), a Texas Instruments SN74LS244 octal line buffer and driver (the missing “74” prefix is confirmed by a quick visit to the logic tester on my TL866CS programmer), a Dallas DS1233 detector and several 10 microfarad Tantalum electrolytic capacitors.

I am a bit reluctant about scrapping the bq3287 because of its package being difficult to handle, and it do have a 10-year shelf life because of its internal battery. I scrapped it anyway.

Card reader teardown

The smart card reader
The old smart card reader. It had experienced more than 10 years of use.

The smart card reader, however, seemed reusable. I decided to reverse engineer that to figure out how it is connected to a computer.

From the online forums this card reader, despite using a standard DE-9 connector, does not use RS-232 pin out. No damage was reported when connected to a RS-232 port, though.

This prompted me to reverse engineer this connector’s pin out. Nothing can be inferred from the PCI board since apart from a few power pins, all pins go to the ASIC. Now I have to take the card reader itself apart to figure things out.

Inside of the card reader.
The card reader as I took it apart.

The card reader itself is held together by two screws at the bottom, no “warranty void if removed” label found (and this 10-year-old device wouldn’t be under warranty anyway) A quick unscrewing, we’re in like Flynn.

To my surprise, the construction is surprisingly simple. The chip, after a careful read, is Texas Instruments SN74HC04 hex inverter, not some pesky ASIC that makes this chip not hackable to me. The construction quality is superior, with obviously very durable board quality and finishing. However the lack of landfill made me frown a little bit, would be RF be a problem? (It turned out that a lack of landfill helped me in reversing it)

Card reader reverse engineering

Since a lack of ASIC means easily hackable, and a non-standard pinout means a reverse engineering have to be done before any hacking can commence. So without further ado, I took my time and reversed the board.

Reverse engineered schematic of JK300
Reverse engineered schematic of JK300 smart card reader. Click to see it in PDF.

The wire simply maps DE-9 pins to the corresponding SIL pins as numbered in this schematic, so that will not bug us.

The power comes in from DE-9 pin 1, probably 12V. There is a bunch of circuitry before the 5V regulator to allow it being turned off when not used, and the card insertion detection switch also joins this mess. PNP transistor T1 is the pass transistor switching power to the rest of the circuitry. NPN transistor T2 switches T1’s base voltage between Vin (off) and 1/2Vin (on). The switch S1 is the card detection switch, connection is broken when a card is present.

The circuitry before the base of T2 is a bit confusing to me. When this card reader was in use, the red LED was always on when the computer is on, and the green one only lit up when a card is present. Based on this fact, here is my theory on how this circuit works. DE-9 pin 2 is held at 5V and pin 9 is used as a card detector pin. When the card is not present it is held high but when a card is present it is pulled low by resistor R10. The rest of the circuitry, when the card is not present, is turned off by pulling DE-9 pin 3 low and this pull is released when the card is present. If I am hacking this board I would remove R12, which can be problematic for my CMOS driver circuitry. Diode D1 can only be explained as a hack to resolve signal undershoot from the PCI board.

The card is a standard 5V smart card with 5V Vpp, following at least ISO 7816 pinout.

The entire lower half of the ‘HC04 is used to construct a clock oscillator. Two inverters are biased into linear region by resistors R4 and R5, coupled capacitively and have a crystal oscillator across them, in the positive feedback path. The signal is tapped off and further amplified into a logic level clock signal by another inverter. This is not a commonly seen construction for a CMOS crystal oscillator.

It is brilliant to see how they used R6 and D2 to turn a push-pull output from ‘HC04 into open drain I/O pin together with another gate from the chip.

Here is the pinout of this module if you are using it unmodified to interface ISO 7816 cards:

Pin 1: 9-12V
Pin 2: 5V
Pin 3: SHDN# (internal pull-up)
Pin 4: GND
Pin 5: TXD (internal pull-up)
Pin 6: GND
Pin 7: RXD
Pin 8: RESET# (internal pull-up)
Pin 9: Card Detect

Hope this deems useful to you. Maybe I will get rid of this old board and construct a new one using a board of the same size, but a USB connection and a proper ISO 7816 smart card interface chip? Hmm…

Leave a Reply