Dangerous Prototypes

Started playing with a magstripe reader today, short writeup can be found here:

http://s3c.za.net/2010/02/19/magstripe- ... us-pirate/ (http://s3c.za.net/2010/02/19/magstripe-reverse-engineering-using-the-bus-pirate/)

Anyone have an idea how to get the Bus Pirate to read a single bit on a data line when the clock line goes low?

Not I'm aware of. What speed does the clock have when you sweep it at a normal speed? You could try the raw3wire at a low speed, without the clock connected and the dataout to the miso. then enter a lot of rrrrrr to read it.

You could alternatively use a motor to pull the card through to get a steady clock/bitrate

The clock speed varies greatly even in a single swipe so static timing won't work, the motor idea while plausible seem like a lot of trouble considering the clock line gives us the timing we need, if I can't find a way to do it with the Bus Pirate I'll wire up a board and code it myself.

The only Bus Pirate mode that currently supports slave clock is the keyboard library (keyboards provide their own clock). I think Sjaak's scripting mode might get us a little closer to that eventually, but right now there's not really any modes that could be used to read that. We could certainly write one, or a simple macro in raw2wire mode that follows the clock and spits out byte representations (a simple sniffer, I guess).

I really glad you were able to use SUMP to visualize the data, it looks great.

If I get some time I'd like to try my hand at implementing this, the two wire mode pulls the clock line low when not used, in a previous post you mentioned that this is needed for the smart card code, what effect will it have if this is changed? Since I'm more of an AVR guy how would you suggest I go about adding a timeout for this macro?

Check out the PC keyboard library, you'd probably want something similar to that. I'd also look into the SPI library and see if maybe it would be easier to just implement an SPI slave mode (clock and data in), or using the SPI sniffer might be even easier actually without any code change. Hook up the clock and either MOSI or MISO to the data, then select don't care about the CS pin, that is probably the easiest way to go, no coding required.

I guess the scripting will be [s:]finished[/s:] released this weekend. I finished most of the basic code an now i'm adding the interfacing to the libraries. After I tested the functionality I'll upoad it in the newterm branch (it ís incompatible with the old code)

I'm looking forward to your tests!

s3c: I believe the 'bug' that helds the clk line down is removed by now.

Score, it works, thanks Ian, I hooked up the CS pin to the card present pin to only sniff when a card is swiped but other than that you were spot on:

m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. JTAG
7. RAW2WIRE
8. RAW3WIRE
9. PC KEYBOARD
10. LCD
(1) >5
Mode selected
Set speed:
 1. 30KHz
 2. 125KHz
 3. 250KHz
 4. 1MHz
(1) >4
Clock polarity:
 1. Idle low *default
 2. Idle high
(1) >2
Output clock edge:
 1. Idle to active
 2. Active to idle *default
(2) >2
Input sample phase:
 1. Middle *default
 2. End
(1) >2
Select output type:
 1. Open drain (H=Hi-Z, L=GND)
 2. Normal (H=3.3V, L=GND)
(1) >1
READY
SPI>W
POWER SUPPLIES ON
SPI>(1)
Sniff when:
 1. CS low
 2. CS high
 3. All traffic
(1) >1
SPI bus sniffer, any key exists
[0xFF(0x00)0xFF(0x00)0x2D(0x00)0xE5(0x00)0xE6(0x00)0x31(0x00)0x97(0x00)0xF3(0x00
)0xFD(0x00)0xEB(0x00)0xFA(0x00)0x52(0x00)0xED(0x00)0xFC(0x00)0xFF(0x00)0x1B(0x00
)0xD7(0x00)0xBF(0x00)0x41(0x00)0xDF(0x00)0xFF(0x00)0xFF(0x00)0xFF(0x00)0xFF(0x00
)0xFF(0x00)0xFF(0x00)0xFF(0x00)0xFF(0x00)0xFF(0x00)0xFF(0x00)]

I'm glad it worked! You identified a definite need, a similar sniffer in 2wire mode.

[quote author="Sjaak"]
s3c: I believe the 'bug' that helds the clk line down is removed by now.
[/quote]

Nope, well didn't check the I2C code but it's still in the raw2wire code:

case CMD_SETUP:
	//writes to the PORTs write to the LATCH
	R2WCLK=0;			//B8 scl 
	R2WDIO=0;			//B9 sda
	R2WDIO_TRIS=1;//data input
	R2WCLK_TRIS=0;//clock output
	bbSetup(2, modeConfig.speed);
	bpWmessage(MSG_READY);
	break;

case CMD_STOP:
	bbI2Cstop();
	bpWstring("(_/-\)");
	bpWmessage(MSG_I2C_STOP);
	break;

Those should be changed too. I did fix the issue with I2C stop leaving the lines low though, that was in bitbang.c.

Hee, you've got 1000+ posts! congrats Ian.

Ok, i though it was a general thing. Maybe make ik configurable? Or should it be done by the user?

s3c did it read exactly what was on the card, or had it errors in it?

Considered commenting on his posts when I noticed he was on post 999 :) I parsed the data and ran it through Stripe Snoop and it seems legit, start and end sentinels are in place and the data looks fine, don't know what all the fields mean but it contains a number printed on the card.

Thanks guys. I was counting up from 996, but I forgot about it after 998.

I wanted to know more about methods of reading mag cards and I got really lost in this site:
http://www.gae.ucm.es/~padilla/extrawork/stripe.html (http://www.gae.ucm.es/~padilla/extrawork/stripe.html)

The best from scratch guide I found was a phrack article:

http://stripesnoop.sourceforge.net/devel/phrack37.txt (http://stripesnoop.sourceforge.net/devel/phrack37.txt)

My reader gives out TTL levels so all that isn't actually needed though, working on an app to automate everything now, I'll mail it in when I'm done so it can be added to the Bus Pirate scripts if you're interested?

Of course, thank you.

May I use one of your pictures and the terminal output to make a demo post for this? It's really cool.

Ok, code is finally done, thanks for the suggestions Ian, wouldn't have happened without them, I didn't bother calculating the LRC but if needed just pipe the output through StripeSnoop with the -b switch. You're welcome to use it as a demo if you wish, mind adding the code to the svn?

---

Cool! What compiler did you use?

If you post an executable I can add it to the svn for you (will prolly update the newterm branch tonight so I can do it in one go :D)

Here's the code with a few tweaks and executable.

Thanks for sharing

Updated the svn: http://code.google.com/p/the-bus-pirate ... tail?r=338 (http://code.google.com/p/the-bus-pirate/source/detail?r=338)