goldtouch

Somebody sent me this: http://www.sendspace.com/file/q946y0 They said they saved it earlier on. Thanks!

Wow, almost forgot about this project. Yngdrum, it sounds like you are encountering the same problems I am. Lets hear what you know/have tried. I'll see if I can get that video in the meantime.. shouldn't be too hard.

Congratulations on your research, it looks like it turned out well. :) I have two burning questions on my mind right now: -Did you have to deal with the non-iso compliant C8 pin strangeness that I have complained about? -I'm thinking the the machine authenticates, checks balance, deducts balance, and starts the load.. but doesn't properly check if the balance was deducted so you either cut off communications after the check balance, or possibly just send back a "balance written ok" statement back to the card reader to get this working? Or am I way off? I will be interested to read your writeup. Do you have a link to your blog now, have any other fun hardware projects up? I'll be interested to hear both the effects of posting the video on youtube AND the attention it brings too. Why was this a requirement for your project? Possibly to understand media reactions? Good luck with exams!

VERY interesting video. So lets break down what they did: - If the card's contact pattern and SmartCity labelling are any indication, this is an ESD AT88XXXC series card. likely the AT88SC0404C one. - It looks like they can read it with a standard card reader too.. as they should be able to. I wish that would work for me. I'm assuming they are just running a command to dump the entire (or a portion) of memory in the video. -The uC was programmed with an AVR programmer and has 40 pins. ATMega32s fit that description and are popular too... -They broke out all 8 of the pins and in a rather clever way (even though they all aren't necessary). Still I like it. :) - They used the Saleae USB Logic analyser to read the I/O pin only. You can see in the video that they are monitoring two channels, and if you look even closer, both channels are very similar. That is probably because they are passing them through that uC to monitor/alter for *something* I wish I lived where they are, 1 machine cycle is 1.75 here... and that's a competitive rate in the area. It's absurd.

No progress sofar here, but I do have a hard lesson learned.. don't reverse the card vcc and gnd. Oops! MetalMan, those are interesting pictures. It looks like you have a newer esd card reader module than what the two landromats near my place use. What company are your laundry services under (what does it say on your laundry card)? Do your laundry machines beep? It surprised me to see the buzzer on the white pcb. In regard to the breakout pins in the card reader mechanisim, that's likely just a port they used to program the chip or something similar. Can you read the numbers off the philips chip for me? Speaking of chips, that GDM1202A display should just be a generic part. If you search around enough, you could find out what interface it uses then using a uC make it say something such as "FEED ME A SOCK" Once in the machine, I don't think bypassing the card mechanisim would be too hard either too. I don't see any logic circuitry on that white controller pcb. Is there another one under it? If not, you might be able to use the machine just by identifying what pins from the card reader mechanisim go to where on the pcb board and supplying them with the correct voltages to work the relays.. not 100% positive on this as those current pictures do not reveal too much. Will be interested to hear more about what you have accomplished!

Hope you are feeling better sirloins Thanks for the tip with WinExplorer.. it accomplishes what I have written as a cli app... but likely works way better. :D I picked up version 5.0 I now have a phoenix card programmer/reader here (so I shouldn't have to worry about pullup resistors possibly being the issue on lines now) that I used with WinExplorer and still haven't gotten an ATR. I tried a few settings, but looking over the documentation again 9600 8E1 does seems like the right setup... I'm 99% sure. So frustrating!! Any other thoughts? Thanks for the tips sofar. As for that c8 pin, I did another test, I attached it and gnd to a voltmeter and found it gets at least 2.5V through it... hmm That pin has about 6Mohm resistance between that and ground which slowly climbs the longer you measure the resistance. I think next time I do laundry I will throw in an appropriate resistor between the c8 seasons interface contact line and ground instead of connecting it to the c8 card pin to see what happens. Already I have tried just grounding c8 alone and that did not work. Another observation I have made regards dryers. If you start a load, then plug the card in again, it deducts money from your card and adds individual minutes to the load time. This could be handy for sniffing purposes. What other progress have you made too? Cheers!

Thanks for the info, its always nice to hear others have looked at this. I'm pretty sure the card I have is the AT88SC0404C or in that family. I'm making this assumption from the fact it has the same contact pattern design as what is shown in the spec sheet and the i-cat blog. It's a shame this isn't a cheap pic/avr card like I was hoping for it to be...but hey, now it's fun although frustrating to try and figure out. I still haven't been able to read this card! This is what I have done: -Tried reading with a standard ccid card reader: Nothing, card reader reports it can't power it on or get the atr. -Made my own serial card reader using a ftdi 5v serial-usb chip setup and a 3.579545Mhz crystal + some other components to support the clock. I read a sim card with it so I know it works. When I plug in the laundry card however, I get nothing... or if I do it's a bunch of d7 dd 77 f7 etc bytes. Shouldn't I get an ATR as soon as the card is powered up? I am assuming from the data sheet and iso standard the correct baud rate to communicate with the card is 9600 8e2 with no hardware/software flow control, but that just gives me parity-failing jibberish... so have the other settings I have tried (9600 8e1, 9600 8n1). Do you know for sure what the correct settings are? It's interesting you point out the sniffer too.. I already built and tried using it a while ago.. I made it with an old ID card, gold foil tape, and seasons2 schematic (card reader slot, max232, non-inverting hex buffer +components). The sniffer is how I discovered that c8 pin MUST be connected in order for transactions to occur. The data sheet says nothing about this.. so all I can think is as an extra security via obscurity measure they are checking the resistance between that pin and ground? I sure wish I had a logic analyzer. Oh and for what I sniffed at the laundromat? Jibberish again! I used the same serial config settings as I used for the home made reader. Any more of your thoughts are appreciated. just being able to communicate with this chip would make my day. I already wrote some software to talk to it synchronously that isn't getting nearly the use I hoped it would by now. :)

Will do, currently I'm scrounging around old electronics for parts. I've gotten tired of trying to write my own drivers for this supposedly ccid standard card reader so now I'm making my own communicator (not programmer) It's fairly simple, just a serial port, max232 chip, a few resistors, caps, a crystal and associated components to make a crystal oscillator for the card's clk port. After that the todo list is: -Identify if c8 is really needed by the readers (and why) Putting a piece of scotch tape atop the contacts then carefully using a hobby knife to expose only c1, c2, c3, c5, and c7 can confirm/deny that. -Construct a sniffer to see what commands they are sending across the line.

What you are describing is commonly known as a honeypot. If you search google for that term, I'm sure you will find a few pre-made solutions that suit your needs.

Yes, some cards have built in write protection passwords that once used up will keep the card from being used again. This is one of them according to the documentation. How easy it would be to read the balance off the card depends on how well the system was implemented: -They may have used the space anyone could read/write to so reading the balance wouldn't require knowing security bits. -They may have put the data in a read-only section so reading the balance wouldn't require knowing the security bits. -They could have put the data in an area that cannot be read/written without knowing the password. There are a few ways around the last one, but those bridges will be crossed later. For now a card reader should be setup so the card can be talked to reliably (i.e. read the ATR, send commands and receive data back such as a basic content dump)

ESD makes card equipment for a few laundry companies and SmartCity is one of them. I had only been researching info on ESD, but it would not be a bad idea to search info about the other companies that distribute the equipment for leads. If you look at ESD's card pdfs, they have one page that shows how the cards can be printed with company logos/designs. The SmartCity card is shown so I bet some of the others designs are real cards/companies too. In their software documentation they suggest what card reader they use, but considering the cards are infact standard smart cards, any iso7816 standard reader should work to read/write to the card. Then again, I haven't been able to read the ATR from the card yet, so perhaps I shouldn't say anything. I'll have to tinker with some baud rates and perhaps write my own driver. Thanks for the link, knowing the atr of the card is a big break... now, time to go figure out why c8 is important in the documentation and what's going on with my reader.. and possibly why the card works at all with GND blocked :D

As an alternative to a vpn, you could also use ssh port forwarding and tunnel the remote desktop session over that.

This isn't about theft. If someone was interested in that, they would just buy the ESD DVTM unit. You stick the card in those, hit the 5$ button on it, and that's it. I would tell you the part # for it and where to buy online, but this forum and the reason I post here involve hacking, not stealing. This is about learning how it works, why they did things as they did, then using this information to make useful utilities (it sure would be nice to know what the balance on my card is without having to drive to the cleaners and stick the card in their machines) , and identifying ways the system can be improved (Aka, innovation, are you against that?)

Anybody been working on this more? The cards are wierd and don't seem to follow iso7816 standards.. I can't even get them to reset so I can get an ATR when plugged into a card reader. Using some tape I have discovered only the pins below with *'s are needed to add/subtract/check card balances on the machines. --------------------------------------------------------------- -------------- c1* | c5 -------------- c2* | c6 -------------- c3* | c7* -------------- c4 | c8* -------------- --------------------------------------------------------------- But this doesn't make sense! c5 is supposed to be ground if these are smartcards so I don't know what to think. I wonder what they are using.. i2c or something close? This certainly isnt like theSLE4442 chip like some of you guys think. Dang, it sure would be nice to have a logic analyzer for this... It sure would be nice to have any of these...: -logic analyzer -software that handles cards balances. If you have a serial card reader you could clone the serial interface and sit on it to see how the card is talked to. -Know what chip is used to read the card inside any of the machines that handle transactions. -Know what type of card this actually is. This would help alot! -Any other info you fine folks have scrounged up. PMs to rapidshares are nice.