This page was copied from Duwgati's site with his permission: http://www.duwgati.com
Enjoy, Bill & the funFiles Team.
The Spanish Picc2rd team has made some exciting progress in the further deciphering of the Seca coding system. On their Web Site they now offer several utilities that enable you to create a MOSC compatible card, using a Silver card. The MOSC emulation is so good that all MOSC editing software thinks your Silver card is a real MOSC card. And what's even better, your CAM does too.
This is a very useful set of tools for those who want to create a backup of their original MOSC card. But it's also very useful for those who just want to learn about MKFind but don't want to put their original card at risk. With the use of Moscas11 you will be able to generate a version 40 type card.
If you experience any problems with MatrixStudio, should try this alternative solution.
Want to do a key extraction from a clone, you should read this, else continue reading.
Having problems editing your PBM, read this.
This is the software you will need (download it from the download section if needed):
- ICprog (or other software to program the PIC 16F876).
- MKFind (I did not test other software for this procedure).
- MOSC_cloning.zip (it contains the MoscAS11.hex on which this tested procedure was based).
- MatrixStudio (You will need the Matrix Studio DLLs too if you have never installed Matrixstudio before).
This is the hardware you will need:
- A Silvercard or Piccard-II with PIC 16F876.
- A programmer capable of programming the PIC 16F876 (Ludi compatible programmer).
- A 3.58 MHz Phoenix compatible interface.
To start with, install the software where needed.
Start with extracting all relevant information from your card, using MKFind.
You will need all keys, Card Serial, System Key, well... just about every variable that's on your MOSC.
Connect your programmer in order to start programming the 16F876 on the Silvercard.
Configure the device (16F876) and load the file Moscas11.hex.
You may also use the modified version: Duwgati Moscas11 pic.hex or any later version MoscASxx.hex.
Before you start programming, it is always a good custom to erase the card. Just to be sure.
So, first erase the card and then start the programming.
When the programming of the PIC has completed, quit ICprog.
Connect your Phoenix interface and make sure it is in 3.58 MHz mode.
Start MKFind and press connect.
This screen shot down here shows what your screen should look like.
You'll notice that apart from the Seca provider 00 there are no other providers on the card.
Well, let's change that.
Press Settings and check if your System Key is "00 00 00 00 00 00 00 00".
If not, then edit it now and press Check Key.
Don't bother about any error messages you might get at this point..
Now click Providers.
From the Ident menu, you can choose the provider you want to add.
Notice that the name appears in the Name field.
Use your mouse to mark the name and copy it to the clip board (CTRL-C).
Now press the Add New Provider button.
In the menu column you see a new provider, but with a very strange name, not the one you chose.
See the screenshot below.
Now click on that name in the menu column.
In the next screen, paste your clip boards content over the Provider Name field (CTRL-V).
Tick the box in front of "Provider Name".
Type in the PPUA from your original card in the appropriate field.
Tick the box in front of "PPUA".
Press Modify Selected.
Now your provider (in this case Canal + France) is added to your card.
Repeat this procedure for all the providers that are on your original card.
When you have added them all, you will need to edit the Management Keys for all added providers.
The MKF pages explain all about this procedure.
If you are (like I am) a real perfectionist, you will probably want your card to have the same Card Serial number and the same System Key as the original MOSC card has. Well, this is how that's done.
Let start with the System Key.
Go to the Setting screen.
Fill in the original System Key.
Press the Check Key button.
You will see a popup window, confronting you with an error.
Just ignore this message as it is an indication that the key is updated correctly. Because with the new key written to the card, the system key no longer allows certain changes be made to the card, this error tells you the procedure was successful )
OK, now we only need to update the Card Serial (also called UA or Unique Address) and then we have a nice MOSC clone.
Remember, this only works for MoscAS 1.1 files, not for 1.23 files.
Quit MKFind and start MatrixStudio.
Leave your Phoenix interface connected. Do not change anything.
Also leave your card in the programmer.
From the menu column on the left, you choose Mini MOSC.
Then in the right upper corner press Get CARD Info.
Notice the bottom part of your screen getting filled with data.
Now press Change SN.
Depending on the version of MatrixStudio you are working with, you might see the Ins field getting filled with a Seca Instruction (called INS).
If not, the last line in the bottom window, will show the instruction (see the blue marked part).
Just copy & paste it from there to the Instruction line.
The last 4 bytes of the INS contain the Card Serial ( 44 33 22 11 in this sample).
Edit these 4 bytes to the same Card Serial of your MOSC.
Then press Send INS.
Now a Seca Instruction is sent to the card. The Instruction forces a new Serial number to the card.
As you can see, the INS 0C is used to do that.
And you may also notice that the Card Serial is part of the Seca provider 00 00.
The Seca page in the chapter Code Systems gives more info on Seca Instructions.
The line marked blue in the below screen shot, shows the answer string from the card. As you can see it ends with 90 00. That is also part of the Seca INS convention. If the answer ends with 90 00 then the INS was executed successfully.
I have found that sometimes you'll not get 90 00, but another value. I have found that you will sometimes get a 6D 00 reply. This means: "Instruction not supported/valid or Instruction protected". I don't know why that is, but if it happens to you too, just read here how you can get around this.
Did you get the 90 00 reply?? Well then, congratulations, you have just created a fully functional clone of your MOSC.
Now you may put your original card in a Safe, so nothing can happen to it.
Isn't that just great stuff )
Known problems with the PBM:
Some versions of MoscAS come with the PBM locked.
You should unlock the PBM first, otherwise you cannot edit it.
Key extraction from a clone:
But wait. There is something you should know.
As the clone is not a real MOSC, it behaves a bit different with some MKF functions.
For instance, the extraction of the card records will not work as with a MOSC.
To read the data from your clone, do the following:
1. Start MKFind 4.3
3. Now select "Settings"
4. Press "Extract Key" (your System Key field will turn blank)
5. Select "Card Records"
6. Press "Get Records"
Now you see the real keys as they are on your card.
But, as you can see, each line contains 12 bytes.
The real key consists of bytes 2 through 9 only, all the rest is has nothing to do with the key.