Laundry Card hack

[d3icidal]

I too am using a ED money card and have been looking at difference ways of editing cloning it. Seems like a good project. Mainly if it can be used to backup my current money card, :P i poured detergent on my card, had 50 bucks on it. The owner of the shop can see the value on his computer, but the machines wont take it. and the owner just says im screwed.

After some digging I found sim card software (much more widely developed) might do the trick. Tested 5 of them so far, 3 where able to see the sim card, only 1 would read the contents at all, but no hexdumps, or cloning/backup features.

1st post and I am extremely interested in software that will allow a HEX dump from a smart card (blue arrow). There are forums and posts out there that insist they can do it, but where is the proof. Post a link to software capable of this. To get a reader/writer shouldn't be too hard-but no software. I will keep posting as to any information updates.

[lemonsalad]

I too am using a ED money card and have been looking at difference ways of editing cloning it. Seems like a good project. Mainly if it can be used to backup my current money card, :P i poured detergent on my card, had 50 bucks on it. The owner of the shop can see the value on his computer, but the machines wont take it. and the owner just says im screwed.

After some digging I found sim card software (much more widely developed) might do the trick. Tested 5 of them so far, 3 where able to see the sim card, only 1 would read the contents at all, but no hexdumps, or cloning/backup features.

Yea, I have been sitting on this idea for a while now. I still cannot figure out how to HEX dump prior information to re-write a card. Keep me posted with your discoveries as I shall as well.

[yngdrum]

It means that I can put balance on the card, But I have to decompile the software and change the license number in the software. Every card like this has a license number and a site number, I need to change the license number so it will work with my card, If you can help me with that, I will give you a copy and every one else in this forum a copy if they want one, It will read the balance from the card but it will not add to it because the card that is inserted is the wrong license number, I am looking for someone who will be able to do this and it will free up the software so it will work with any card that is inserted into the reader putting value on them, The maximum value that the card will hold is $500. I am allowed to put a maximum of $40 on mine so they will not know that it has been hacked. I paid $2500 for this software if you want to know how much it was, I have the DVTM that goes with it also and all of the setup cards, If you want more information, Let me know.

ymmot Upload the extracted software to rapidshare or megaupload, i have a few de-compiler tools.

Please PM me your site code so i will know which value to search for.

[taiyed14]

So you have the software for this program? What does that mean?

it means he has the technology!

[DingleBerries]

If I had a card reader I would help but I dont. There was an interesting talk from Blackhat about dumping these cards and rewriting them with your own data.

[StarchyPizza]

Well I have found an easier solution. Just apply for a job at one of these places and learn how they do it. Or just find a training course online. Because most of these cards are re-usable so if we can find out how to edit them, then we have found the answer.

[coinless]

I have been following this topic for some time and I decided to participate after a break-through. And I really appreciate StarchyPizza's solution: keep it simple--work smarter not harder.

However, my break-though (not so literally) was actually disassembling the protective cover from smartcard reader protective cover to washer/dryer control panel.

So now that I have exposed washer/dryer's wiring I am all excited what makes it tick. And I am in an experimental mood (so don't lecture me about breaking the law--I'm coinless :))

My questions are: there are 4 wires coming from smartcard reader and connects to another 4 wires with a opaque, square connection type which is made with plastic material and a snap on, I believe. Would I be able to bypass (if this is the right term) by connecting them manually, that is to hot-wire them, together to start the cycle? If so would a Macguyveristic paper clip will do the trick? How many wires do I need to connect them? Is there a better way? Should I arrange my funeral before I attempt, fearing an electrocution? Do you need photos to determine the precise operation dealing with delicate instruments? I am willing to upload some photos!

[Sparda]

If it connects to a computers it's probably a USB or PS2 connection.

If it connects to any thing else, you'll have to figure out which pins are for power (easily done with a multimeter) then use some thing like an oscilloscope to monitor the data pins. From there you should beable to figure out what the content of the card is. It's unlikely that the card reader obfuscates the data as it is sent down the wire. Now you can see what is one the card!

[blowfish]

If anyone has the software to do a hex dump, please contact me with a link. I have been doing some independent research on this subject and have landed here after a few leads have gone dry.

One person has been able to pick open the control panel that the person above was talking about. Here are the images of what theyre saying

The smart card reader is at the very bottom slot

The inside of the panel. The bottom right red corner is where the smart card reader is.

This company (greenwald industries) has software called SMS2, or Smart Card Management System 2. If one was able to get this software, we would all be able to do this. But I have yet to find it, nor do I believe Ill be able to.

So as I said, if anyone has access to working hex dump software, fill me in.

[coinless]

blowfish,

Good work. I should have attached pictures as well. I also have a link at the end of the post that might interest you. I don't have any attack angle but I'll give what I've found and perhaps someone can make sense of it all.

First, pictures of my laundry machine coin (smart card) slot and control panel covers taken apart.

Correction: Originally I stated that there were 4 wires. I was incorrect. There are 6 wires--(top 3) 2 white, 1 brown, (bottom 3) 1 red, 1 yellow, 1 gray

Then, these 6 wires connect to various locations on the control panel, where a set goes to status light and the rest goes to drying selections (pictures are for dryer only)

blowfish, I found this link while in search of breaking satellite cards. I'm not sure if this is useful but if you do find it useful please share it with us :) Let us know which reader/writer you're using and if you were able to read them at all. The site states that it was developed for Windows environment. I can't make any sense of which reader/writer is compatible or, is it just any windows compatible reader/writer will do?

http://www.literatecode.com/2007/06/03/smacadu/

Good luck.

[dallaskorben]

Are cards for the system available somewhere? I am curious about them, but I don't know of any laundry machines near me that use the system.

[coinless]

dallaskorben, would you like a smart card to test it out?

The laundry facility I go to dispenses cards for free. Minimum balance price is $5.00. I say it was free because initially if you put a balance in it the card comes with the balance you entered, i.e. 5 dollar bill. Some other places charge up to $2 for the new card. If you'd like we can arrange something so that the card can be mailed to your location.

Here is what I know so far (posts from here and other locations). A software called CVA can add amounts and a stand alone unit can add/check amounts. Each location, that is a place or business that purchased this ESD system has a unique client number. This client number is embedded along with the card amount.

Smart card readers are programmed to work with this unique client number at this location/business only. Each ESD moneycard has unique serial number which I recently read that it is crucial in making this moneycard to work with the reader.

I will attach what I found later.

So basically, the cleanest hack (or crack) is to dump it as a file, use hex edit to change the value and rewrite it to the card. But it's not as easy as it sounds.

Rats! This forum does not allow PDF as an attachment.

http://www.mediafire.com/?sharekey=711cede...04e75f6e8ebb871

[blowfish]

If youre worried about being traced by the laundry company, you can purchase cards with prepaid gift cards or cash.

Another thing. I havent purchased the reader/writer yet because of the software delay.

However, the company that is in my area (Greenwald Industries) has an archive of information on how to setup laundry units. Their main image is of a IBM GEMPC400 COMPACT SMART CARD. These can be acquired from various places for pretty cheap.

The company also releases a user manual that talks about using this hardware to setup cards on the fly.

The software they use can read and sort all the card data into an easy to read window. Thats why I was hoping to get the software. Not likely though.

[ESDHACK]

Guys you are all going about this the wrong way. The esd software (which I have) is not the best and easiest way to go about adding value to cards regardless of what the license number is. I actually stumbled upon this this forum/thread by accident but found it interesting that there are people who want to add value to there card (without paying of course).

All you need is a DVTM with key card at minimum but a Value Adder or higher will work but way overkill. It should have already been setup with a setup card, with any license #, it doesn't matter. There are a few other things you need but I am not going to tell ya. Nothing that is not readily available though.

Hacked this years ago. I for one would never and I mean never buy this system with what I know about it.

[xamboozi]

Well i started looking into this a while back and got a reader(which was the wrong one) and some spare cards. I think I need an acr38 card reader(http://www.smartcardsupply.com/Content/Hardware/ACR38.htm), because it can support all the different formats. Also from that same place you can get extra cards to experiment with. The big thing stopping me from going any further is the ability to analyze the transaction when the VTM adds or subtracts value from the card. Only then can you get the code to make the card readable. Otherwise you should be able to view a dump of all the readable info on the card and decipher which hex data directly relates to the value on the card, with the cheap 30 dollar reader.

Coinless, since you have access to the inside of a machine, you probably have the best shot at this. it would be easier for you to read the transaction.

I believe the fedex/kinkos hack to be the most similar to the laundry card.

Really good info here:

[xamboozi]

oh yea, one more thing, links!

logic analyzer - http://www.saleae.com/logic/features/?q=1&...CFSUNDQodeAs1cQ

smart card wiki WITH pinout - http://en.wikipedia.org/wiki/Smart_card

the protocol the card uses you will probably have to discover yourself with the card reader.

APDU command list - http://www.decodesystems.com/smartcards.html

esd's website - http://esdcard.com/

smartcard emulator - http://hackaday.com/2009/03/03/smart-card-emulator/

TONS more info - http://hackaday.com/2008/11/25/how-to-read...t-card-sle4442/

[goldtouch]

Anybody been working on this more?

The cards are wierd and don't seem to follow iso7816 standards.. I can't even get them to reset so I can get an ATR when plugged into a card reader.

Using some tape I have discovered only the pins below with *'s are needed to add/subtract/check card balances on the machines.

---------------------------------------------------------------

--------------

c1* | c5

--------------

c2* | c6

--------------

c3* | c7*

--------------

c4 | c8*

--------------

---------------------------------------------------------------

But this doesn't make sense! c5 is supposed to be ground if these are smartcards so I don't know what to think. I wonder what they are using.. i2c or something close? This certainly isnt like theSLE4442 chip like some of you guys think. Dang, it sure would be nice to have a logic analyzer for this...

It sure would be nice to have any of these...:

-logic analyzer

-software that handles cards balances. If you have a serial card reader you could clone the serial interface and sit on it to see how the card is talked to.

-Know what chip is used to read the card inside any of the machines that handle transactions.

-Know what type of card this actually is. This would help alot!

-Any other info you fine folks have scrounged up.

PMs to rapidshares are nice.

[ParMan]

Oh, and stealing is bad. Do not pass go, do not collect $200.00, go straight to jail. (But still, learning how to do it is not wrong, just what you do with that knowledge is up to you. I say do it for the hack, and not so much for the stealing of money/credit.)

I would have to agree. getting the knowledge is great but actually using it to steal thats just wrong.

[goldtouch]

I would have to agree. getting the knowledge is great but actually using it to steal thats just wrong.

This isn't about theft. If someone was interested in that, they would just buy the ESD DVTM unit. You stick the card in those, hit the 5$ button on it, and that's it. I would tell you the part # for it and where to buy online, but this forum and the reason I post here involve hacking, not stealing.

This is about learning how it works, why they did things as they did, then using this information to make useful utilities (it sure would be nice to know what the balance on my card is without having to drive to the cleaners and stick the card in their machines) , and identifying ways the system can be improved (Aka, innovation, are you against that?)

[msqr]

Hi, does any one have any information about hacking SmartCity laundry cards? They look like this:

Would an ACR reader read/write from these?

I found http://i-cat.blogspot.com/2008/01/laundry.html but I don't think he took his work further. Thanks!

[goldtouch]

ESD makes card equipment for a few laundry companies and SmartCity is one of them. I had only been researching info on ESD, but it would not be a bad idea to search info about the other companies that distribute the equipment for leads. If you look at ESD's card pdfs, they have one page that shows how the cards can be printed with company logos/designs. The SmartCity card is shown so I bet some of the others designs are real cards/companies too.

In their software documentation they suggest what card reader they use, but considering the cards are infact standard smart cards, any iso7816 standard reader should work to read/write to the card. Then again, I haven't been able to read the ATR from the card yet, so perhaps I shouldn't say anything. I'll have to tinker with some baud rates and perhaps write my own driver.

Thanks for the link, knowing the atr of the card is a big break... now, time to go figure out why c8 is important in the documentation and what's going on with my reader.. and possibly why the card works at all with GND blocked :D

[msqr]

Interesting. I remember reading up somewhere about how you have 3 tries to get the write code (3 byte) right otherwise it self destructs? Hmm, how easy do you think it is to dump the contents of the SmartCity card to a file, use it up a bit, then restore the card from the dump, vs. programming a blank card?

[goldtouch]

Yes, some cards have built in write protection passwords that once used up will keep the card from being used again. This is one of them according to the documentation.

How easy it would be to read the balance off the card depends on how well the system was implemented:

-They may have used the space anyone could read/write to so reading the balance wouldn't require knowing security bits.

-They may have put the data in a read-only section so reading the balance wouldn't require knowing the security bits.

-They could have put the data in an area that cannot be read/written without knowing the password.

There are a few ways around the last one, but those bridges will be crossed later. For now a card reader should be setup so the card can be talked to reliably (i.e. read the ATR, send commands and receive data back such as a basic content dump)

[msqr]

Thanks! Keep me updated?

[goldtouch]

Will do, currently I'm scrounging around old electronics for parts. I've gotten tired of trying to write my own drivers for this supposedly ccid standard card reader so now I'm making my own communicator (not programmer)

It's fairly simple, just a serial port, max232 chip, a few resistors, caps, a crystal and associated components to make a crystal oscillator for the card's clk port.

After that the todo list is:

-Identify if c8 is really needed by the readers (and why) Putting a piece of scotch tape atop the contacts then carefully using a hobby knife to expose only c1, c2, c3, c5, and c7 can confirm/deny that.

-Construct a sniffer to see what commands they are sending across the line.