sirloins Posted October 26, 2009 Share Posted October 26, 2009 Here is some info for laundry cards (smartcity ones): Two versions, one with a RED arrow and one with a BLUE arrow. The ones with a red arrow are easy to hack, simply get a season 2 interface (lets you log the communications between washer and smartcard). Then go buy a blank smartcard (goldcard or something) and program it to replay the same info. In order to add money to the original card you would need to crack the challenge response keys it sends. The newer cards (BLUE arrow) use an atmel crypto memory, AT88SC0404 to be exact. There are no hacks that I know about which can bypass the security of this device. Both can be communicated with using a standard smartcard reader at ~3.6mhz (sat card programmers usually work for this). Quote Link to comment Share on other sites More sharing options...
sirloins Posted October 26, 2009 Share Posted October 26, 2009 also to note, there are only 5 signals used: GND, VCC, IO, RST and CLK... it follows the ISO standard.. They communicate at 9600 baud... Quote Link to comment Share on other sites More sharing options...
catchyanow Posted October 26, 2009 Share Posted October 26, 2009 If it connects to a computers it's probably a USB or PS2 connection. If it connects to any thing else, you'll have to figure out which pins are for power (easily done with a multimeter) then use some thing like an oscilloscope to monitor the data pins. From there you should beable to figure out what the content of the card is. It's unlikely that the card reader obfuscates the data as it is sent down the wire. Now you can see what is one the card! Could also connect as a ethernet cable like the EFTPOS Machines Quote Link to comment Share on other sites More sharing options...
goldtouch Posted October 28, 2009 Share Posted October 28, 2009 Thanks for the info, its always nice to hear others have looked at this. I'm pretty sure the card I have is the AT88SC0404C or in that family. I'm making this assumption from the fact it has the same contact pattern design as what is shown in the spec sheet and the i-cat blog. It's a shame this isn't a cheap pic/avr card like I was hoping for it to be...but hey, now it's fun although frustrating to try and figure out. I still haven't been able to read this card! This is what I have done: -Tried reading with a standard ccid card reader: Nothing, card reader reports it can't power it on or get the atr. -Made my own serial card reader using a ftdi 5v serial-usb chip setup and a 3.579545Mhz crystal + some other components to support the clock. I read a sim card with it so I know it works. When I plug in the laundry card however, I get nothing... or if I do it's a bunch of d7 dd 77 f7 etc bytes. Shouldn't I get an ATR as soon as the card is powered up? I am assuming from the data sheet and iso standard the correct baud rate to communicate with the card is 9600 8e2 with no hardware/software flow control, but that just gives me parity-failing jibberish... so have the other settings I have tried (9600 8e1, 9600 8n1). Do you know for sure what the correct settings are? It's interesting you point out the sniffer too.. I already built and tried using it a while ago.. I made it with an old ID card, gold foil tape, and seasons2 schematic (card reader slot, max232, non-inverting hex buffer +components). The sniffer is how I discovered that c8 pin MUST be connected in order for transactions to occur. The data sheet says nothing about this.. so all I can think is as an extra security via obscurity measure they are checking the resistance between that pin and ground? I sure wish I had a logic analyzer. Oh and for what I sniffed at the laundromat? Jibberish again! I used the same serial config settings as I used for the home made reader. Any more of your thoughts are appreciated. just being able to communicate with this chip would make my day. I already wrote some software to talk to it synchronously that isn't getting nearly the use I hoped it would by now. :) Quote Link to comment Share on other sites More sharing options...
penty Posted October 28, 2009 Share Posted October 28, 2009 will this smart card writer do the trick? http://cgi.ebay.com/ws/eBayISAPI.dll?ViewI...s%3DI%26otn%3D2 Quote Link to comment Share on other sites More sharing options...
sirloins Posted October 30, 2009 Share Posted October 30, 2009 Thanks for the info, its always nice to hear others have looked at this. I'm pretty sure the card I have is the AT88SC0404C or in that family. I'm making this assumption from the fact it has the same contact pattern design as what is shown in the spec sheet and the i-cat blog. It's a shame this isn't a cheap pic/avr card like I was hoping for it to be...but hey, now it's fun although frustrating to try and figure out. I still haven't been able to read this card! This is what I have done: -Tried reading with a standard ccid card reader: Nothing, card reader reports it can't power it on or get the atr. -Made my own serial card reader using a ftdi 5v serial-usb chip setup and a 3.579545Mhz crystal + some other components to support the clock. I read a sim card with it so I know it works. When I plug in the laundry card however, I get nothing... or if I do it's a bunch of d7 dd 77 f7 etc bytes. Shouldn't I get an ATR as soon as the card is powered up? I am assuming from the data sheet and iso standard the correct baud rate to communicate with the card is 9600 8e2 with no hardware/software flow control, but that just gives me parity-failing jibberish... so have the other settings I have tried (9600 8e1, 9600 8n1). Do you know for sure what the correct settings are? It's interesting you point out the sniffer too.. I already built and tried using it a while ago.. I made it with an old ID card, gold foil tape, and seasons2 schematic (card reader slot, max232, non-inverting hex buffer +components). The sniffer is how I discovered that c8 pin MUST be connected in order for transactions to occur. The data sheet says nothing about this.. so all I can think is as an extra security via obscurity measure they are checking the resistance between that pin and ground? I sure wish I had a logic analyzer. Oh and for what I sniffed at the laundromat? Jibberish again! I used the same serial config settings as I used for the home made reader. Any more of your thoughts are appreciated. just being able to communicate with this chip would make my day. I already wrote some software to talk to it synchronously that isn't getting nearly the use I hoped it would by now. :) Try using the software winexplorer. I am able to get an ATR on my cards with an iso programmer which was used for the old dishnet/directv cards (NOT an unlooper/glitcher). The atr is listed in the atmel documents as well as the proper communication settings. I am fairly sure there is only 1 stop bit. Also check the byte order, like wether lsb is first or msb is first... makes a difference.. Sorry but I'm feeling pretty sick, so I'll come back in a day or so and post my exact settings. Also there seems to be something fishy with that c8 pin your talking about... I never noticed that, I was using a season 2 interface to log the communications and if I remember correctly it did not have that pin connected.. Quote Link to comment Share on other sites More sharing options...
Spydersai Posted November 2, 2009 Share Posted November 2, 2009 What Ver. of Winexplorer are you using? I downloaded Winexplore 5.4 but keep getting Failed to set data for" and the Winexplorer 5.0 I downloaded had a virus so it won't work. Any ideas on how to get 5.4 to work? Running Windows 7 Ultimate. Quote Link to comment Share on other sites More sharing options...
sirloins Posted November 3, 2009 Share Posted November 3, 2009 What Ver. of Winexplorer are you using? I downloaded Winexplore 5.4 but keep getting Failed to set data for" and the Winexplorer 5.0 I downloaded had a virus so it won't work. Any ideas on how to get 5.4 to work? Running Windows 7 Ultimate. I had that problem too. Some versions are just bad. This program was used a lot in satellite card hacking as well. I am using version 5.0. "WinExplorer v5.0 by Dexter". The version I have was detected by Norton Antivirus as a virus, but I never had that problem in the past when I used it with virus scanners from the time (this program is older). Microsoft Security Essentials does not detect it as a virus.... but I am not sure how reliable it is.. Quote Link to comment Share on other sites More sharing options...
goldtouch Posted November 5, 2009 Share Posted November 5, 2009 Hope you are feeling better sirloins Thanks for the tip with WinExplorer.. it accomplishes what I have written as a cli app... but likely works way better. :D I picked up version 5.0 I now have a phoenix card programmer/reader here (so I shouldn't have to worry about pullup resistors possibly being the issue on lines now) that I used with WinExplorer and still haven't gotten an ATR. I tried a few settings, but looking over the documentation again 9600 8E1 does seems like the right setup... I'm 99% sure. So frustrating!! Any other thoughts? Thanks for the tips sofar. As for that c8 pin, I did another test, I attached it and gnd to a voltmeter and found it gets at least 2.5V through it... hmm That pin has about 6Mohm resistance between that and ground which slowly climbs the longer you measure the resistance. I think next time I do laundry I will throw in an appropriate resistor between the c8 seasons interface contact line and ground instead of connecting it to the c8 card pin to see what happens. Already I have tried just grounding c8 alone and that did not work. Another observation I have made regards dryers. If you start a load, then plug the card in again, it deducts money from your card and adds individual minutes to the load time. This could be handy for sniffing purposes. What other progress have you made too? Cheers! Quote Link to comment Share on other sites More sharing options...
catchyanow Posted November 5, 2009 Share Posted November 5, 2009 I had that problem too. Some versions are just bad. This program was used a lot in satellite card hacking as well. I am using version 5.0. "WinExplorer v5.0 by Dexter". The version I have was detected by Norton Antivirus as a virus, but I never had that problem in the past when I used it with virus scanners from the time (this program is older). Microsoft Security Essentials does not detect it as a virus.... but I am not sure how reliable it is.. I am very good with security software and I can tell you........... Microsoft Security Essentials is a fat load of junk. All of Microsoft's other security products have been and this one is probably just as bad. As for Norton detecting it as a virus it is very likely a False Positive. They happen a lot with programs like Cheat Engine, Trainers, Packet Sniffers and all sorts of other things like that. Just ignore it. Quote Link to comment Share on other sites More sharing options...
MetalMan Posted November 10, 2009 Share Posted November 10, 2009 hey, i cam across this in midst of my curiosity of how my laundry machine works. im just going to say this outright, i'm just curious about electronics and the principles in which they work, so i'm not trying to steal, i like to know how everything works, from my car to fermenting my own brew.. now that ive said that, i think a few of you guys were on the right track, maybe this will help us all out, i have the wiring diagram, pictures of the guts and what ive done so far to make it function without the card reader. i'm not into any crazy reverse engineering projects, i honestly just do stuff that seems to make sense and see where it goes. this is probably the closest learning project ive come to actually completing without giving up, so what im saying is i'm not too technical, so if i need to explain myself further please let me know. from what ive gathered it would be a better idea to bypass the card reader from even working, you know just run "diagnostics" ive noticed there are two modes you can access when you put in the single white jumper(#14) "Fd mode" which i have no freakin clue what it does, other than the fact that it allows me to do what appears as some diagnostics and factory mode, which will be discussed later. that shit is confusing too. by default, the washer is on jumper #09 Fd mode can be accessed by removing the power to the washer, placing #14 onto the selector harness. you press the "whites" and start button for 3 seconds while writing this i just noticed something in the schematic they forgot to take out of the machine, the other selector plug harnesses are decoded the number is indicated on the plastic plug on each set of wires, the last two numbers #09-short wash cycle 01- long wash cycle 02- short wash cycle with extra rinse 14- service mode ive been running it in service mode, and im able to fill it up with water, drain the machine and thats about it. if you tinker with the buttons different functions happen, in my next post, ill clearly label all the functions, and scan in a copy of the schematics/wiring diagram(pub number 31-16508) ok heres some pictures to let you know whats going on visually (dont have a scanner anymore sorry i took pics of the diagram) first, heres a diagram for all you guys who know how to read these. i bet this will help a little heres the decoder for the wire coloring heres the actual board, everything should be in view that you need to see, if not tell me what you need the jumpers and harness for card reader interesting thing i found inside the card reader - regular pc jumpers? i wonder what the heck they do? i cant seem to find any info on this unit, and i dont have any extra jumpers laying around...but i will have some soon because i found this factory mode first off i have no clue how i got here, let me try to explain. i unplugged the washer, plugged in jumper number 14 and flipped the switch by the selector harness from "flash" to "normal" and plugged it back in this mode operated completely different, it allowed me to run one cycle then i couldnt get it to come back to factory mode, and now i get this everytime i unplug or plug the machine in no load enable!!!!!!! what? no clue, at this point i'm lost, and just gathering some ideas. i just wanted to make sure i shared this with you guys, because there is alot of good advice on this site that ive used. basicaly my goal is to just bypass the card reader, which i dont think it would be that hard to do. im going to do some more experiments, and then come back and post some more. hope this helps Quote Link to comment Share on other sites More sharing options...
sirloins Posted November 11, 2009 Share Posted November 11, 2009 Great Work, I know what you mean about doing it just for the sake of knowing how it works. I don't even live in a building that uses those smart cards anymore. The only problem I would have with what you are suggesting is that by putting the washer in diagnostic mode nobody else would know how to use the machine, and they would likely call to get it fixed. (At least where I have been the washers are shared by the whole building). Also, are those machines the coinamatic/smartcity ones? Don't give up! (or get caught with the machine inside out I guess lol) Quote Link to comment Share on other sites More sharing options...
max13 Posted November 16, 2009 Share Posted November 16, 2009 This is an interesting topic ~BUMP~ Quote Link to comment Share on other sites More sharing options...
d4rkfe4r Posted November 19, 2009 Share Posted November 19, 2009 Dude you actually took the machine apart? Last time I did that some fool ratted me out to the cops and my landlord wasnt very happy.. lol. Quote Link to comment Share on other sites More sharing options...
goldtouch Posted November 26, 2009 Share Posted November 26, 2009 No progress sofar here, but I do have a hard lesson learned.. don't reverse the card vcc and gnd. Oops! MetalMan, those are interesting pictures. It looks like you have a newer esd card reader module than what the two landromats near my place use. What company are your laundry services under (what does it say on your laundry card)? Do your laundry machines beep? It surprised me to see the buzzer on the white pcb. In regard to the breakout pins in the card reader mechanisim, that's likely just a port they used to program the chip or something similar. Can you read the numbers off the philips chip for me? Speaking of chips, that GDM1202A display should just be a generic part. If you search around enough, you could find out what interface it uses then using a uC make it say something such as "FEED ME A SOCK" Once in the machine, I don't think bypassing the card mechanisim would be too hard either too. I don't see any logic circuitry on that white controller pcb. Is there another one under it? If not, you might be able to use the machine just by identifying what pins from the card reader mechanisim go to where on the pcb board and supplying them with the correct voltages to work the relays.. not 100% positive on this as those current pictures do not reveal too much. Will be interested to hear more about what you have accomplished! Quote Link to comment Share on other sites More sharing options...
D4287 Posted November 30, 2009 Share Posted November 30, 2009 I'm interested in this topic too, and in my search, I found someone that prevented the laundry machine from rewriting over the card. Hmm I think this would be just about the same as adding money into it...Might even be easier to prevent rewriting than to edit it? http://www.youtube.com/watch?v=1KYjKw6BadI Quote Link to comment Share on other sites More sharing options...
goldtouch Posted December 3, 2009 Share Posted December 3, 2009 VERY interesting video. So lets break down what they did: - If the card's contact pattern and SmartCity labelling are any indication, this is an ESD AT88XXXC series card. likely the AT88SC0404C one. - It looks like they can read it with a standard card reader too.. as they should be able to. I wish that would work for me. I'm assuming they are just running a command to dump the entire (or a portion) of memory in the video. -The uC was programmed with an AVR programmer and has 40 pins. ATMega32s fit that description and are popular too... -They broke out all 8 of the pins and in a rather clever way (even though they all aren't necessary). Still I like it. :) - They used the Saleae USB Logic analyser to read the I/O pin only. You can see in the video that they are monitoring two channels, and if you look even closer, both channels are very similar. That is probably because they are passing them through that uC to monitor/alter for *something* I wish I lived where they are, 1 machine cycle is 1.75 here... and that's a competitive rate in the area. It's absurd. Quote Link to comment Share on other sites More sharing options...
SMRTgroup Posted December 3, 2009 Share Posted December 3, 2009 Hi guys, I'm part of the group who did that project in the youtube video, this was done for a computer security class' final project. Uploading a video of our project was a requirement... I'll say for now that goldtouch's analysis of the video is mostly correct. I won't reveal the details of our findings yet, we still need to write up the final report and I still have exams to write as well. When the time comes I'll post the details on my blog. P.S. , while not much cheaper, the price of a wash cycle here is $1.20, the 60 cent decrement you saw was for a dry cycle ;) Quote Link to comment Share on other sites More sharing options...
max13 Posted December 3, 2009 Share Posted December 3, 2009 Hi guys, I'm part of the group who did that project in the youtube video, this was done for a computer security class' final project. Uploading a video of our project was a requirement... I'll say for now that goldtouch's analysis of the video is mostly correct. I won't reveal the details of our findings yet, we still need to write up the final report and I still have exams to write as well. When the time comes I'll post the details on my blog. P.S. , while not much cheaper, the price of a wash cycle here is $1.20, the 60 cent decrement you saw was for a dry cycle ;) Yes, if you are indeed part of that group, it would be wonderful if you posted your findings. Quote Link to comment Share on other sites More sharing options...
goldtouch Posted December 5, 2009 Share Posted December 5, 2009 Congratulations on your research, it looks like it turned out well. :) I have two burning questions on my mind right now: -Did you have to deal with the non-iso compliant C8 pin strangeness that I have complained about? -I'm thinking the the machine authenticates, checks balance, deducts balance, and starts the load.. but doesn't properly check if the balance was deducted so you either cut off communications after the check balance, or possibly just send back a "balance written ok" statement back to the card reader to get this working? Or am I way off? I will be interested to read your writeup. Do you have a link to your blog now, have any other fun hardware projects up? I'll be interested to hear both the effects of posting the video on youtube AND the attention it brings too. Why was this a requirement for your project? Possibly to understand media reactions? Good luck with exams! Quote Link to comment Share on other sites More sharing options...
yngdrum Posted January 19, 2010 Share Posted January 19, 2010 Congratulations on your research, it looks like it turned out well. :) I have two burning questions on my mind right now: -Did you have to deal with the non-iso compliant C8 pin strangeness that I have complained about? -I'm thinking the the machine authenticates, checks balance, deducts balance, and starts the load.. but doesn't properly check if the balance was deducted so you either cut off communications after the check balance, or possibly just send back a "balance written ok" statement back to the card reader to get this working? Or am I way off? I will be interested to read your writeup. Do you have a link to your blog now, have any other fun hardware projects up? I'll be interested to hear both the effects of posting the video on youtube AND the attention it brings too. Why was this a requirement for your project? Possibly to understand media reactions? Good luck with exams! The video is now private, could some one upload it some where else? Also found this site out.... May have some useful info for those trying to actually read the cards, The one i have is a CoinMach (ESD one) it does not respond to ATR in 2 different card readers i have. Quote Link to comment Share on other sites More sharing options...
goldtouch Posted January 24, 2010 Share Posted January 24, 2010 Wow, almost forgot about this project. Yngdrum, it sounds like you are encountering the same problems I am. Lets hear what you know/have tried. I'll see if I can get that video in the meantime.. shouldn't be too hard. Quote Link to comment Share on other sites More sharing options...
goldtouch Posted January 24, 2010 Share Posted January 24, 2010 Somebody sent me this: http://www.sendspace.com/file/q946y0 They said they saved it earlier on. Thanks! Quote Link to comment Share on other sites More sharing options...
jbremnant Posted April 4, 2010 Share Posted April 4, 2010 @goldtouch : came across this thread after struggling to dump ATR from same esd card. I think we are probably looking at the same chip, and it doesn't seem like the AT88SCXX (cryptomemory) chip. Was there any progress on this? Maybe we can collaborate? Quote Link to comment Share on other sites More sharing options...
noob1 Posted April 22, 2010 Share Posted April 22, 2010 this is very interesting information, any updates as if anyone has gotten a working project going Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.