Resperonics Smart Card

jskinner · Post by **jskinner** » Mon Jun 11, 2007 12:50 am

Just thought I would let everyone know that I have done a bit of exploration tonight (morning ) and have confirmed that the Resperonics Smart card is indeed using the Microsoft Smartcard API.

Its now very unclear why there are two versions of the driver for the DT3500. It may be something as simple as some configuration of EP done in the installer and that the actual driver is the same? Has anyone checked the two different drivers (2800.sys) to see if they are the same size?

If you would like to poke around at the card yourself you can use the following tool (Smart Card ToolSet PRO):

http://www.scardsoft.com/main.php3?Theme=Soft_v3Server

dsm · Post by **dsm** » Mon Jun 11, 2007 2:45 am

James,

Thanks for the update & 10 points for your on-going efforts.
Many of us really appreciate your work & willingness to share it.

Would love to have done this myself but time just isn't there

DSM

tomjax · Post by **tomjax** » Mon Jun 11, 2007 6:26 am

JSkinner-

check your pm-

i sent you one about sc detection and driver..

cannot get mine to work although it was working.

tks
tom

jskinner · Post by **jskinner** » Wed Jun 13, 2007 8:51 pm

A word of caution for anyone messing around with their smartcard, it`s pretty easy to mess up your smartcard if you don`t know what your doing:

Anyone know how to recover from this error... EP is unable to erase the card.

Cheers, -James

Snoredog · Post by **Snoredog** » Wed Jun 13, 2007 10:01 pm

jskinner wrote:A word of caution for anyone messing around with their smartcard, it`s pretty easy to mess up your smartcard if you don`t know what your doing:

Anyone know how to recover from this error... EP is unable to erase the card.

Cheers, -James

I wouldn't throw the card away, it is recoverable. I had one do that on me once using the Mako generic utility that talks to the card. I took it to my other computer with the serial card reader and set it up and it worked fine again afterward. If you don't get the encrypted "key" to access the card data it will display that error.

While it may use the Microsoft SmartCard API's and services, there is a key encrypted to access the card. the Respironics 2800.sys driver IS different from the mako version. They are different because one driver has the keys embedded in it and the other doesn't. If you get Mako's development kit, you get the same ability to burn a key to your driver. They are different which is they include it on the CD-Rom. You should be able to compare the 2800.sys driver from Mako's site to the one on the CD, can't recall exactly the difference but I think it was small, a 48 byte difference or something. If you by chance happen to have the old DOS version of PCTools from the mid 80's, you may be able to disassemble the code and see the difference. Or just use debug

If you go to mako-tech.com, they will even tell you that you have to use their driver due to that encryption key. The question is once you hack that key is the data contained also encrypted. I say no, it is what populates the SQL database. The machine also has the "key", when you insert a valid key during Setup of the card it embeds that encrypted key. When those two keys "match" (one on card and one in firmware on machine) does the machine "beep" where it displays the icon on the display and can "write" data to the card. This is why you need a scope, you can tag on to the serial data port of the smart card module, read the raw data or what is being written to the card by the machine and you have the family jewels. Once you have that key, you can embed it in your own mako generic driver and read and write to those cards all day long. What you should see in the memory addresses on that card is all the data dumped to the SQL database. Part of that data from the card identifies the type of machine it is which selects which template from the MSQL templates to use.

Pssst: maybe you can send that card to sleepyred and she can erase it for you as she now owns my old card reader. On that PC where I had that reader, it once had EncorePro version 1.24 installed. I'm sure when they upgraded these they have to make them somewhat backwards compatible, meaning a card once setup on version 1.24 has to be able to be read if you are using version 1.57 or 1.6 or 1.8. My guess is that access key is probably the same across the board to access the card only, only the data addresses may have changed.

http://www.mako-tech.com/support/

mhacker · Post by **mhacker** » Wed Jun 13, 2007 10:46 pm

Eek, did not know anyone even remembered CP software. I did a lot of hex and disc writes with that. My favorite is sourcer with a hardware ICE but I digress.

You can copy the card to another. Does not prove much other than the card is readable/writable. The real pisser is that the serial number for the xPAP is part of the "key". Not independently confirmed but I trust the hacker on it. That could be hard to bypass but a generic s/n could be embedded into the xPAP but that is more research....

open source, open source
Push down
Pop up
byte, byte, byte

/i need to get a life

jskinner · Post by **jskinner** » Thu Jun 14, 2007 1:32 am

Snoredog wrote:While it may use the Microsoft SmartCard API's and services, there is a key encrypted to access the card.

Yes its likely there is a key to decrypt the data on the card but my research leads me to believe that its not located in the driver. This evening I took the driver included on version 1.8 of Encore Pro and the one from Mako site and compared them. They are both version 1.0.1.4 of the driver and are both 39,488 bytes in size. A byte by byte comparison of the two files shows they are identical.

The 2800.sys driver is a Microsoft SmartCard Device Driver. Examining the driver with Dependency Walker reveals that it interacts with three other modules: the kernel for basic OS services, the USB driver, and the Microsoft Smartcard driver library. There are no exported interfaces in the driver so programs can`t access the driver directly (It very likely runs in kernal space so that wouldn`t be possible anyway)

The fact that they have packaged the driver in two separate ways previously is odd. My guess is that the EP specific one does some EP configuration so that EP knows the driver is installed. Interestingly in EP 1.8 this special packaging appears to have gone away.

Snoredog wrote:the Respironics 2800.sys driver IS different from the mako version. They are different because one driver has the keys embedded in it and the other doesn't. If you get Mako's development kit, you get the same ability to burn a key to your driver.

I can`t seem to find reference to a Mako development kit on their web site. Do I have to email them for something to request it.

Snoredog wrote:They are different which is why they include it on the CD-Rom. You should be able to compare the 2800.sys driver from Mako's site to the one on the CD, can't recall exactly the difference but I think it was small, a 48 byte difference or something.

This may have been true for older versions of EP but at least in 1.8 it does not appear to be true. The drivers are identical.

Snoredog wrote:If you go to mako-tech.com, they will even tell you that you have to use their driver due to that encryption key.

I must be blind tonight I can`t find that on there site. Can you point me to it.

Snoredog wrote:The question is once you hack that key is the data contained also encrypted. I say no, it is what populates the SQL database.

If you use the Respironics SmartCard Data Reader 1.0 Tool you can get an idea of what the data looks like when it comes off the card. Its basically a 32k binary blob of data. I can only assume that this utility decrypts the data before dumping it as I can easily find my name and CPAP serial number in the dump. (or maybe only part of it is encrypted)

(Interestingly I can dump the card that is no longer working no problem, so maybe the data isn`t decrypted using that utility afterall.)

Encore Pro would have to then decode that binary blob before storing it in SQL.

Snoredog wrote:The machine also has the "key", when you insert a valid key during Setup of the card it embeds that encrypted key. When those two keys "match" (one on card and one in firmware on machine) does the machine "beep" where it displays the icon on the display and can "write" data to the card. This is why you need a scope, you can tag on to the serial data port of the smart card module, read the raw data or what is being written to the card by the machine and you have the family jewels.

Agreed. Assuming of course a symetric encryption is being used. However smartcards are often used for asymmetric encryption so its possible that even getting the write key wouldn`t help.

Snoredog wrote:Once you have that key, you can embed it in your own mako generic driver and read and write to those cards all day long.

Actually from what I can tell at this point you could use the existing driver. If you had the key you could just use it with the standard Microsoft Smartcard API to read and write to the card. Of course getting that key could be considered violating the DMCA

Snoredog wrote:What you should see in the memory addresses on that card is all the data dumped to the SQL database.

Yep, same data but in very different format. The data on the card is a binary blob packed into 32k, it has to be decoded to meaningful data when stored in the DB tables.

Snoredog wrote:Part of that data from the card identifies the type of machine it is which selects which template from the MSQL templates to use.

Yes based in the model number EP would know how to decode that binary blob. I don`t see any templates in the DB though for this... My guess is that its just code in EP that does the decoding and then dumps the data into the tables (in a messy way

Snoredog · Post by **Snoredog** » Thu Jun 14, 2007 1:56 am

I forgot about dependency walker, that is a great little util for comparing. I know mine didn't work no matter what driver I downloaded, it wasn't until I obtained the 2800.sys driver off the CD-Rom did it work.

Wonder if the unlock key is right out in the open and contained in the SQL database?

Can't you enable the SQL debug logs and see what it does when it talks to the card in real time?

Maybe it will reveal it. Those look like the commands you need to talk to the card, I got the specs on that card somewhere.

Guest · Post by **Guest** » Fri Jun 15, 2007 1:37 pm

Hello,
This is very interesting stuff. I don't have a CPAP yet but will be going through this whole process soon.

Hope you don't mind if I ask a few questions.

Do most data enabled machines allow you to download data to your pc? Is it only the Smart card machines that allow this?

I notice that you are talking about a SQL Sever database. I am assuming that this database is populated with the software package that you can get with Respirpnics CPAP? Is it Encore Pro?

What part actually does the decode of the data? Is there a special Smart card reader that can be purchased? The talk of keys and encryption make me wonder where the translation is happening.

How hard is it getting access to the SQL Server instance? What version do they install? 2005? 2000?

Is the database laid out well?

The reason I ask these things is I love playing with data. It would be fun to write some software to do my own analysis on any sort of data provided.

What I am gathering from your conversation here is that the current process is the CPAP records all its data to a Smartcard. The user takes the smartcard to out of the CPAP and places it into a reader connected to the PC. Does the smartcard reader come with the machine? Is a special reader required? Continuing, once the smartcard is placed in a reader on the pc, then the software is responsible for gathering the data and storing it.

Is the software Encore Pro software tied to the the Respirpnics machines or can it be used with CPAPs from other manufacturers. If its produced by a company that is not tied to Respirpnics, how might they know the key needed to access the data?

If I am going to be using a CPAP, I might as well get one that I can have a little fun with. Look for trends and data that might correlate to different experiences that I come across. Do some things like that. I am sure other software does that already but I am always looking for some new programming project to play with.

-Steve

oceanpearl · Post by **oceanpearl** » Fri Jun 15, 2007 1:49 pm

I see said the blindman>

jskinner · Post by **jskinner** » Fri Jun 15, 2007 10:33 pm

Anonymous wrote:I notice that you are talking about a SQL Sever database. I am assuming that this database is populated with the software package that you can get with Respirpnics CPAP? Is it Encore Pro?

Yes.

Anonymous wrote:What part actually does the decode of the data?

Encryption/decryption is done by the Smartcard. Decode is done by Encore Pro.

Anonymous wrote:Is there a special Smart card reader that can be purchased?

Yes you can buy it here:

http://two-factor.com/shop/index.php?productID=115

Anonymous wrote:The talk of keys and encryption make me wonder where the translation is happening.

In the smartcard.

Anonymous wrote:How hard is it getting access to the SQL Server instance?

Its very straightforward if you are familiar with SQL.

Anonymous wrote:What version do they install? 2005? 2000?

Depends on the version of Encore Pro. 1.8 uses 2005.

Anonymous wrote:Is the database laid out well?

No its pretty bad. It has evolved with the addition of machines and version of Encore. Multiple tables to do the same thing depending on version or machine. Most university graduates could design something better.

Anonymous wrote: What I am gathering from your conversation here is that the current process is the CPAP records all its data to a Smartcard. The user takes the smartcard to out of the CPAP and places it into a reader connected to the PC.

Corrent.

Anonymous wrote:Does the smartcard reader come with the machine? Is a special reader required?

You have to buy it separate and you must get the one noted above (DT3500)

Anonymous wrote:Continuing, once the smartcard is placed in a reader on the pc, then the software is responsible for gathering the data and storing it.

Corrent.

Anonymous wrote:Is the software Encore Pro software tied to the the Respirpnics machines or can it be used with CPAPs from other manufacturers.

Works only with Respironis machines.

Guest · Post by **Guest** » Fri Jun 15, 2007 11:55 pm

One more question,

The data coming out of the DTS3500 is encoded. You mention a binary blob. As of right now, is there a way, other than using the Encore Pro software, to get useable information out of the data being provided by the smart card.

On the database side, I am assuming there is a login and username for the database? Does the database installed use the standard default sa password?

The more I think about it, I dont think I will be buying the software as its rather expensive so the only option I would have is trying to understand the data that can be read from the smart card. Sounds like that might not be possible right now without the Encore Pro software. Thats a bummer.

Perhaps I will research other CPAP options and see if I can find something that provides a decent amount of data to play with without trying to determine how a bunch of binary data is encoded.

Bonnie · Post by **Bonnie** » Sat Jun 16, 2007 9:13 am

Dependency walker?!?! I thought that was a cane..

jskinner · Post by **jskinner** » Sat Jun 16, 2007 9:23 am

Anonymous wrote:The data coming out of the DTS3500 is encoded. You mention a binary blob. As of right now, is there a way, other than using the Encore Pro software, to get useable information out of the data being provided by the smart card.

Currently you have to have Encore Pro since no one knows the decryption key or the format of the binary blob.

Anonymous wrote: On the database side, I am assuming there is a login and username for the database? Does the database installed use the standard default sa password?

There is an sa account created. What is the typical password?
Encore Pro uses an account called EPUser. I don't know the password to this account. EPA, my program, just uses the current user but this requires that the user running it has admin privilages. I would like to change this as its annoying particullary on Vista. Ideally I would like to use the EPUser account but creating a new SQL account say EPAUser would be fine too.

Anonymous wrote: Sounds like that might not be possible right now without the Encore Pro software. Thats a bummer.

I don't think anyone has been able to do this yet...

phil1001 · Post by **phil1001** » Tue Jun 26, 2007 9:25 pm

Hi There,

I would really appreciate if a few people would run the resperonics SmartCardUtility found in the utillities subdirector of the EP install.
The default settings will dump a small file to the c:\ directory called EncoreSmartCardData.bin. Hopefully in this file it should show the difference between a partially erased smartcard and a working smartcard. It may also help track down how the settings are stored.

Having used smartcards for several years on bank cards and not having a single error, I believe either the reader or software is flaky and doing a partial write/erase leaving the card in a state which is rejected by EP. I think the SmartCardUtility which has the ability of blindly reading raw data has also the ability of writing raw data and initialising the card bak to its default state - we just need to know working card / unused card dump / broken card dump

My smartcard has gone the partially erased route, so if anyone wants my card dump, please PM me with email address.

Thanks
Phil

Resperonics Smart Card

Resperonics Smart Card

scard

Interesting stuff

Re: Interesting stuff

One more question

Re: One more question

smartcard dump