Jump to content

Laundry Card hack


chaalbaaz

Recommended Posts

Here is some info for laundry cards (smartcity ones):

Two versions, one with a RED arrow and one with a BLUE arrow.

The ones with a red arrow are easy to hack, simply get a season 2 interface (lets you log the communications between washer and smartcard). Then go buy a blank smartcard (goldcard or something) and program it to replay the same info. In order to add money to the original card you would need to crack the challenge response keys it sends.

The newer cards (BLUE arrow) use an atmel crypto memory, AT88SC0404 to be exact. There are no hacks that I know about which can bypass the security of this device.

Both can be communicated with using a standard smartcard reader at ~3.6mhz (sat card programmers usually work for this).

Link to comment
Share on other sites

  • Replies 95
  • Created
  • Last Reply

Top Posters In This Topic

If it connects to a computers it's probably a USB or PS2 connection.

If it connects to any thing else, you'll have to figure out which pins are for power (easily done with a multimeter) then use some thing like an oscilloscope to monitor the data pins. From there you should beable to figure out what the content of the card is. It's unlikely that the card reader obfuscates the data as it is sent down the wire. Now you can see what is one the card!

Could also connect as a ethernet cable like the EFTPOS Machines

Link to comment
Share on other sites

Thanks for the info, its always nice to hear others have looked at this. I'm pretty sure the card I have is the AT88SC0404C or in that family. I'm making this assumption from the fact it has the same contact pattern design as what is shown in the spec sheet and the i-cat blog.

It's a shame this isn't a cheap pic/avr card like I was hoping for it to be...but hey, now it's fun although frustrating to try and figure out.

I still haven't been able to read this card!

This is what I have done:

-Tried reading with a standard ccid card reader: Nothing, card reader reports it can't power it on or get the atr.

-Made my own serial card reader using a ftdi 5v serial-usb chip setup and a 3.579545Mhz crystal + some other components to support the clock. I read a sim card with it so I know it works. When I plug in the laundry card however, I get nothing... or if I do it's a bunch of d7 dd 77 f7 etc bytes. Shouldn't I get an ATR as soon as the card is powered up?

I am assuming from the data sheet and iso standard the correct baud rate to communicate with the card is 9600 8e2 with no hardware/software flow control, but that just gives me parity-failing jibberish... so have the other settings I have tried (9600 8e1, 9600 8n1). Do you know for sure what the correct settings are?

It's interesting you point out the sniffer too.. I already built and tried using it a while ago.. I made it with an old ID card, gold foil tape, and seasons2 schematic (card reader slot, max232, non-inverting hex buffer +components).

The sniffer is how I discovered that c8 pin MUST be connected in order for transactions to occur. The data sheet says nothing about this.. so all I can think is as an extra security via obscurity measure they are checking the resistance between that pin and ground? I sure wish I had a logic analyzer.

Oh and for what I sniffed at the laundromat? Jibberish again! I used the same serial config settings as I used for the home made reader.

Any more of your thoughts are appreciated. just being able to communicate with this chip would make my day. I already wrote some software to talk to it synchronously that isn't getting nearly the use I hoped it would by now. :)

Link to comment
Share on other sites

Thanks for the info, its always nice to hear others have looked at this. I'm pretty sure the card I have is the AT88SC0404C or in that family. I'm making this assumption from the fact it has the same contact pattern design as what is shown in the spec sheet and the i-cat blog.

It's a shame this isn't a cheap pic/avr card like I was hoping for it to be...but hey, now it's fun although frustrating to try and figure out.

I still haven't been able to read this card!

This is what I have done:

-Tried reading with a standard ccid card reader: Nothing, card reader reports it can't power it on or get the atr.

-Made my own serial card reader using a ftdi 5v serial-usb chip setup and a 3.579545Mhz crystal + some other components to support the clock. I read a sim card with it so I know it works. When I plug in the laundry card however, I get nothing... or if I do it's a bunch of d7 dd 77 f7 etc bytes. Shouldn't I get an ATR as soon as the card is powered up?

I am assuming from the data sheet and iso standard the correct baud rate to communicate with the card is 9600 8e2 with no hardware/software flow control, but that just gives me parity-failing jibberish... so have the other settings I have tried (9600 8e1, 9600 8n1). Do you know for sure what the correct settings are?

It's interesting you point out the sniffer too.. I already built and tried using it a while ago.. I made it with an old ID card, gold foil tape, and seasons2 schematic (card reader slot, max232, non-inverting hex buffer +components).

The sniffer is how I discovered that c8 pin MUST be connected in order for transactions to occur. The data sheet says nothing about this.. so all I can think is as an extra security via obscurity measure they are checking the resistance between that pin and ground? I sure wish I had a logic analyzer.

Oh and for what I sniffed at the laundromat? Jibberish again! I used the same serial config settings as I used for the home made reader.

Any more of your thoughts are appreciated. just being able to communicate with this chip would make my day. I already wrote some software to talk to it synchronously that isn't getting nearly the use I hoped it would by now. :)

Try using the software winexplorer. I am able to get an ATR on my cards with an iso programmer which was used for the old dishnet/directv cards (NOT an unlooper/glitcher).

The atr is listed in the atmel documents as well as the proper communication settings. I am fairly sure there is only 1 stop bit.

Also check the byte order, like wether lsb is first or msb is first... makes a difference..

Sorry but I'm feeling pretty sick, so I'll come back in a day or so and post my exact settings.

Also there seems to be something fishy with that c8 pin your talking about... I never noticed that, I was using a season 2 interface to log the communications and if I remember correctly it did not have that pin connected..

Link to comment
Share on other sites

What Ver. of Winexplorer are you using? I downloaded Winexplore 5.4 but keep getting Failed to set data for" and the Winexplorer 5.0 I downloaded had a virus so it won't work. Any ideas on how to get 5.4 to work? Running Windows 7 Ultimate.

I had that problem too. Some versions are just bad. This program was used a lot in satellite card hacking as well. I am using version 5.0. "WinExplorer v5.0 by Dexter". The version I have was detected by Norton Antivirus as a virus, but I never had that problem in the past when I used it with virus scanners from the time (this program is older).

Microsoft Security Essentials does not detect it as a virus.... but I am not sure how reliable it is..

Link to comment
Share on other sites

Hope you are feeling better sirloins

Thanks for the tip with WinExplorer.. it accomplishes what I have written as a cli app... but likely works way better. :D I picked up version 5.0

I now have a phoenix card programmer/reader here (so I shouldn't have to worry about pullup resistors possibly being the issue on lines now) that I used with WinExplorer and still haven't gotten an ATR. I tried a few settings, but looking over the documentation again 9600 8E1 does seems like the right setup... I'm 99% sure. So frustrating!! Any other thoughts? Thanks for the tips sofar.

As for that c8 pin, I did another test, I attached it and gnd to a voltmeter and found it gets at least 2.5V through it... hmm

That pin has about 6Mohm resistance between that and ground which slowly climbs the longer you measure the resistance. I think next time I do laundry I will throw in an appropriate resistor between the c8 seasons interface contact line and ground instead of connecting it to the c8 card pin to see what happens. Already I have tried just grounding c8 alone and that did not work.

Another observation I have made regards dryers. If you start a load, then plug the card in again, it deducts money from your card and adds individual minutes to the load time. This could be handy for sniffing purposes.

What other progress have you made too? Cheers!

Link to comment
Share on other sites

I had that problem too. Some versions are just bad. This program was used a lot in satellite card hacking as well. I am using version 5.0. "WinExplorer v5.0 by Dexter". The version I have was detected by Norton Antivirus as a virus, but I never had that problem in the past when I used it with virus scanners from the time (this program is older).

Microsoft Security Essentials does not detect it as a virus.... but I am not sure how reliable it is..

I am very good with security software and I can tell you........... Microsoft Security Essentials is a fat load of junk. All of Microsoft's other security products have been and this one is probably just as bad. As for Norton detecting it as a virus it is very likely a False Positive. They happen a lot with programs like Cheat Engine, Trainers, Packet Sniffers and all sorts of other things like that. Just ignore it.

Link to comment
Share on other sites

hey, i cam across this in midst of my curiosity of how my laundry machine works. im just going to say this outright, i'm just curious about electronics and the principles in which they work, so i'm not trying to steal, i like to know how everything works, from my car to fermenting my own brew.. now that ive said that, i think a few of you guys were on the right track, maybe this will help us all out, i have the wiring diagram, pictures of the guts and what ive done so far to make it function without the card reader. i'm not into any crazy reverse engineering projects, i honestly just do stuff that seems to make sense and see where it goes. this is probably the closest learning project ive come to actually completing without giving up, so what im saying is i'm not too technical, so if i need to explain myself further please let me know. from what ive gathered it would be a better idea to bypass the card reader from even working, you know just run "diagnostics"

ive noticed there are two modes you can access when you put in the single white jumper(#14) "Fd mode" which i have no freakin clue what it does, other than the fact that it allows me to do what appears as some diagnostics

and factory mode, which will be discussed later. that shit is confusing too.

by default, the washer is on jumper #09

Fd mode can be accessed by removing the power to the washer, placing #14 onto the selector harness. you press the "whites" and start button for 3 seconds

while writing this i just noticed something in the schematic they forgot to take out of the machine,

the other selector plug harnesses are decoded

the number is indicated on the plastic plug on each set of wires, the last two numbers

#09-short wash cycle

01- long wash cycle

02- short wash cycle with extra rinse

14- service mode

ive been running it in service mode, and im able to fill it up with water, drain the machine and thats about it. if you tinker with the buttons different functions happen, in my next post, ill clearly label all the functions, and scan in a copy of the schematics/wiring diagram(pub number 31-16508)

ok heres some pictures to let you know whats going on visually (dont have a scanner anymore sorry i took pics of the diagram)

first, heres a diagram for all you guys who know how to read these. i bet this will help a little

101_0149.jpg

heres the decoder for the wire coloring

101_0150.jpg

heres the actual board, everything should be in view that you need to see, if not tell me what you need

101_0145.jpg

the jumpers and harness for card reader

switch.jpg

interesting thing i found inside the card reader - regular pc jumpers? i wonder what the heck they do? i cant seem to find any info on this unit, and i dont have any extra jumpers laying around...but i will have some soon because i found this

101_0147.jpg

factory mode

first off i have no clue how i got here, let me try to explain.

i unplugged the washer, plugged in jumper number 14 and flipped the switch by the selector harness from "flash" to "normal" and plugged it back in

switch.jpg

this mode operated completely different, it allowed me to run one cycle then i couldnt get it to come back to factory mode, and now i get this everytime i unplug or plug the machine in

101_0135.jpg

no load enable!!!!!!! what?

no clue, at this point i'm lost, and just gathering some ideas. i just wanted to make sure i shared this with you guys, because there is alot of good advice on this site that ive used. basicaly my goal is to just bypass the card reader, which i dont think it would be that hard to do. im going to do some more experiments, and then come back and post some more. hope this helps

Link to comment
Share on other sites

Great Work, I know what you mean about doing it just for the sake of knowing how it works. I don't even live in a building that uses those smart cards anymore.

The only problem I would have with what you are suggesting is that by putting the washer in diagnostic mode nobody else would know how to use the machine, and they would likely call to get it fixed. (At least where I have been the washers are shared by the whole building).

Also, are those machines the coinamatic/smartcity ones?

Don't give up! (or get caught with the machine inside out I guess lol)

Link to comment
Share on other sites

No progress sofar here, but I do have a hard lesson learned.. don't reverse the card vcc and gnd. Oops!

MetalMan, those are interesting pictures. It looks like you have a newer esd card reader module than what the two landromats near my place use. What company are your laundry services under (what does it say on your laundry card)?

Do your laundry machines beep? It surprised me to see the buzzer on the white pcb.

In regard to the breakout pins in the card reader mechanisim, that's likely just a port they used to program the chip or something similar. Can you read the numbers off the philips chip for me?

Speaking of chips, that GDM1202A display should just be a generic part. If you search around enough, you could find out what interface it uses then using a uC make it say something such as "FEED ME A SOCK"

Once in the machine, I don't think bypassing the card mechanisim would be too hard either too. I don't see any logic circuitry on that white controller pcb. Is there another one under it? If not, you might be able to use the machine just by identifying what pins from the card reader mechanisim go to where on the pcb board and supplying them with the correct voltages to work the relays.. not 100% positive on this as those current pictures do not reveal too much.

Will be interested to hear more about what you have accomplished!

Link to comment
Share on other sites

VERY interesting video. So lets break down what they did:

- If the card's contact pattern and SmartCity labelling are any indication, this is an ESD AT88XXXC series card. likely the AT88SC0404C one.

- It looks like they can read it with a standard card reader too.. as they should be able to. I wish that would work for me. I'm assuming they are just running a command to dump the entire (or a portion) of memory in the video.

-The uC was programmed with an AVR programmer and has 40 pins. ATMega32s fit that description and are popular too...

-They broke out all 8 of the pins and in a rather clever way (even though they all aren't necessary). Still I like it. :)

- They used the Saleae USB Logic analyser to read the I/O pin only. You can see in the video that they are monitoring two channels, and if you look even closer, both channels are very similar. That is probably because they are passing them through that uC to monitor/alter for *something*

I wish I lived where they are, 1 machine cycle is 1.75 here... and that's a competitive rate in the area. It's absurd.

Link to comment
Share on other sites

Hi guys,

I'm part of the group who did that project in the youtube video, this was done for a computer security class' final project. Uploading a video of our project was a requirement...

I'll say for now that goldtouch's analysis of the video is mostly correct. I won't reveal the details of our findings yet, we still need to write up the final report and I still have exams to write as well. When the time comes I'll post the details on my blog.

P.S. , while not much cheaper, the price of a wash cycle here is $1.20, the 60 cent decrement you saw was for a dry cycle ;)

Link to comment
Share on other sites

Hi guys,

I'm part of the group who did that project in the youtube video, this was done for a computer security class' final project. Uploading a video of our project was a requirement...

I'll say for now that goldtouch's analysis of the video is mostly correct. I won't reveal the details of our findings yet, we still need to write up the final report and I still have exams to write as well. When the time comes I'll post the details on my blog.

P.S. , while not much cheaper, the price of a wash cycle here is $1.20, the 60 cent decrement you saw was for a dry cycle ;)

Yes, if you are indeed part of that group, it would be wonderful if you posted your findings.

Link to comment
Share on other sites

Congratulations on your research, it looks like it turned out well. :)

I have two burning questions on my mind right now:

-Did you have to deal with the non-iso compliant C8 pin strangeness that I have complained about?

-I'm thinking the the machine authenticates, checks balance, deducts balance, and starts the load.. but doesn't properly check if the balance was deducted so you either cut off communications after the check balance, or possibly just send back a "balance written ok" statement back to the card reader to get this working? Or am I way off?

I will be interested to read your writeup. Do you have a link to your blog now, have any other fun hardware projects up?

I'll be interested to hear both the effects of posting the video on youtube AND the attention it brings too. Why was this a requirement for your project? Possibly to understand media reactions?

Good luck with exams!

Link to comment
Share on other sites

  • 1 month later...
Congratulations on your research, it looks like it turned out well. :)

I have two burning questions on my mind right now:

-Did you have to deal with the non-iso compliant C8 pin strangeness that I have complained about?

-I'm thinking the the machine authenticates, checks balance, deducts balance, and starts the load.. but doesn't properly check if the balance was deducted so you either cut off communications after the check balance, or possibly just send back a "balance written ok" statement back to the card reader to get this working? Or am I way off?

I will be interested to read your writeup. Do you have a link to your blog now, have any other fun hardware projects up?

I'll be interested to hear both the effects of posting the video on youtube AND the attention it brings too. Why was this a requirement for your project? Possibly to understand media reactions?

Good luck with exams!

The video is now private, could some one upload it some where else?

Also found this site out....

May have some useful info for those trying to actually read the cards,

The one i have is a CoinMach (ESD one) it does not respond to ATR in 2 different card readers i have.

Link to comment
Share on other sites

Wow, almost forgot about this project. Yngdrum, it sounds like you are encountering the same problems I am. Lets hear what you know/have tried.

I'll see if I can get that video in the meantime.. shouldn't be too hard.

Link to comment
Share on other sites

  • 2 months later...

@goldtouch : came across this thread after struggling to dump ATR from same esd card. I think we are probably looking at the same chip, and it doesn't seem like the AT88SCXX (cryptomemory) chip. Was there any progress on this? Maybe we can collaborate?

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...