informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/hacking/mag_stripes.txt

521 lines
24 KiB
Plaintext
Raw Permalink Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
Newsgroups: alt.2600
Path: sundog.tiac.net!europa.eng.gtefsd.com!emory!swrinde!pipex!sunic!EU.net!uunet!iat.holonet.net!clafave
From: clafave@iat.holonet.net (Christopher R LaFave)
Subject: Re: Hacking aTM
Message-ID: <CsCvt5.Lut@iat.holonet.net>
Organization: HoloNet National Internet Access System: 510-704-1058/modem
References: <2v5ev9$53p@lucy.infi.net>
Date: Sun, 3 Jul 1994 08:34:16 GMT
Lines: 510
Magnetic stripe technology
Figures and listings are at the end.
Because of their widespread use, most magnetic cards adhere to well-defined
standards that describe the physical and magnetic characteristics for a
magnetic stripe on a plastic card. These standards outline specifications for a
storage format and information interchange. This does not preclude other
encoding techniques or additional data tracks for specific applications, but in
most cases it makes sense to adhere to at least the basic constraints. This
gives you the choice of using any commercially available magnetic encoders for
your application. The technique used for encoding magnetic cards is known as
"Two-Frequency, Coherent Phase Recording". Allowing for the representation of
single-channel, self-clocking serial data, this methodology is generally
referred to as F/2F. Self-clocking is achieved by combining data and clock bits
together in a continuous, synchronous sequence. In this scheme, an intermediate
flux transition signifies a one bit and the absence of an intermediate flux
transition denotes a zero bit.
Three data tracks defined for use on standard magnetic cards each possess
different bit densities and encoded character sets. The average bit density of
track 1 is 210 bits per inch (bpi). Track 1 characters are made up of six data
bits and an odd parity bit, encoded with the least-significant bit first and
the parity bit last, yielding a 64-character set. Taking the number of bits per
inch and the number of bits per character, you can see track 1 has the capacity
to hold 79 characters.
Track 2 has a bit density of 75 bpi, and track 3 uses 210 bpi. Both of these
tracks allow the representation of a numeric-only character set. The characters
for tracks 2 and 3 are encoded using a 4-bit binary-coded decimal subset with
odd parity and, like track 1, are encoded with the least significant bit first
and the parity bit last. The lower density of track 2 allows up to 40 numeric
characters, where 107 numerics can be squeezed onto track 3. The actual number
of usable characters will be fewer since you also have the Start Sentinel, End
Sentinel, and LRC characters.
Though sometimes magnetic cards are moved past the read head mechanically,
most applications rely on manually moving the card, either through a slotted
reader or into an insertion-type reader. Typically the swipe rate is 5-20 inches
per second (ips), with 50 ips being the fastest most card readers can handle. Of
course, moving the card by hand will not only result in varying the absolute
card velocity but, will also introduce incremental speed changes as the card
accelerates and decelerates past the pickup. The F/2F scheme is very forgiving
of such speed fluctuations.
For all 3 tracks, the fundamental data format is similar and consists of the
following elements: First, leading zero bits are encoded to indicate the
presence of an encoded magnetic card and provide synchronization pulses to the
read head electronics and ultimately to the controller. Next, the Start Sentinel
character is encoded which indicates the start of the actual data. The coded
data follows. Next, the End Sentinel terminates the data portion of the card
and followed by an LRC byte (used for error detection). The LRC is essentially
a horizontal parity calculated by an exclusive-OR of all the data bits from the
Start Sentinel to the End Sentinel (inclusive). Finally, trailing zeros follow
the LRC and fill out the remainder of the card.
ANATOMY OF A MAGNETIC CARD
The magnetic tracks have inherent characteristics based on details such as
code set and bit and character densities. International organizations such as
Mastercard and VISA impose additional constraits for their participating members
and standards exist for bank debit cards and ATM cards as well. These rules
specify the exact content and format of each data field in aech track as well as
the intended uses for the tracks. Naturally, for nonfinancial uses, it is not
necessary to comply with these standards. For dedicated uses such as access
control, people tracking, and material tracking, adhering to the minimal
standards is adequate.
The most-often-used track is track 2, although it offers the lowest inform-
ation density of the three. It contains all the information that is normally
used for credit card transactions. When a customer name is required, track 1
must be used since it is the only track that permits alphanumeric data. Track 3
is specified for numeric-only data, but is unique. It is intended for change-
able data and consequently may not only be read but may be rewritten by the
transaction-handling equipment. A multitude of data fileds are contained in
these various tracks. Figure 1 shows a brief run-down of what is generally
placed on tracks 1 and 2.
REAL CARD READERS
The recovery of magnetically encoded F/2F data can be accomplished directly
with the use of just about any microcontroller. There are no particular
difficulties in deciphering the raw F/2F data stream and many early magnetic
read heads contained nothing more than signal amplifiers and line drivers.
These are now artifacts since all modern magnetic read heads contain integ-
rated F/2F bit recovery circuitry and interface with the host controller in a
standard fashion using three wires: CARD PRESENT, CLOCK, and DATA. The read
heads usually rely on a single chip to perform the linear signal conditioning,
sychronization, and recovery of individual bits from the data stream. The Mag-
Tek 21006505 IC is representative of this type of data recovery circuit and its
functionality is depicted in figure 2.
Linear conditioning consists of raising the level of the magnetic pickup's
input signal, rejecting common-mode noise, conditioning and detecting the
signal, and finally providing a digital output for susequent processing. The
enable/disable counters provide initialization for the recovery section. The
recovery section locks onto the data rate and recovers the individual data bits
from the data stream. The oscillator section provides the clocks for the recov-
ery section and for the enable/disable timers. Card present goes low after 8 or
9 flux reversals are seen from the magnetic pickup and will return high about
50 ms after the last flux reversal. The strobe line signals that data is valid
and is active low. The data pin indicates a one bit when it is low. Raw F/2F
data can also be picked directly off the chip.
The data rate for a high-density track scanned at 50 ips comes to 10500 bits
per second (bps). This results in a transfer rate of 1500 characters per second
for the 7-bit elements used on track 1, and 2100 characters per second using
the 5-bit elements of track 3. I either case, this translates to a new bit
arriving at the controller just under every 100 us (microsecond). Even the most
anemic controller should be able to keep up. With resonably good coding techni-
ques, there should be no problem handling the entire data sampling phase on an
interrupt-driven basis. The low-density (track 2) data flows at a more pedes-
trian 3750 bps, yielding 750 5-bit characters per second, or a new bit every
266 us. Since most dual-track read heads provide track 1 and track 2 data, this
indicates that handling both tracks simultaneously is feasible under interrupt
control. Keep in mind that 50 ips is a rather fast scan rate; 20-30 ips is
probably a more realistic limit.
MAGNETIC BIT STORMS
When approaching a problem such as decoding magnetic cards, it pays to spend
some time looking at the overall picture before starting to write the code. At
first glance, it would seem that organizing the data into the prevailing element
size during the sampling interval would make decoding easier. This could be
easily done by ignoring all the leading zeros, with actual data storage comm-
encing with the first one bit. Of course, this approach assumes you're getting
good data. The fact that the data recovery is handled using well-proven hard-
ware makes this assumption valid.
If all you need to do is decode the card in a forward direction, then going
about things as I just described makes sense and reduces the coding effort to a
trivial exercise. If you have to support reverse decoding then this is not the
optimal solution. Having considered the tradeoffs of being able to decode a
magnetic card in both forward and reverse directions, I decided to structure the
program to work equally well in either direction at the cost of a slight
increase in initial complexity.
The first step in decoding is to acquire the serial bit stream. This can be
done using a dedicated sample loop or, with a little more work, using interrupt
processing. Since the idea is the same regardless of the details, I decided to
use a sample loop in my demonstration program (listing 1). The code simply
records the incoming data stream and deposits the data in a sample buffer a byte
at a time. Sampling begins when Card Present returns idle. Any incomplete byte
that has been partially assembled at the time when sampling terminates is simply
discarded. The abundance of leading and trailing zeros allows losing some bits
at either end causing any problems.
Once the sampling interval completes, control is transferred to the decoding
algorithm. Presented in listing 2, the track-1 decode algorithm consists of
nothing more than some initialization and the essence of the decode logic.
Limiting the gyrations contained in the main body of this routine not only makes
the logic easy to follow, but permits the same code to handle the decoding in
either a forward or reverse direction.
The initial entry point assumes a forward decode attempt and sets up the
necessary flags, pointers, and counters before jumping into the main initial-
ization code. After initialization, the sample buffer is scanned for the first
one bit, at which time a 7-bit element is assembled. If the parity is correct
and the character code checks out to be a Start Sentinel, the code proceeds and
starts pulling successive data elements from the sample buffer. If the data
element is not an End Sentinel, the character is translated to ASCII and stored
in the decode buffer. Should an End Sentinel be detected, the program extracts
the next character, which is assumed to be the LRC byte, and finally checks the
calculated LRC for a value of zero.
The checks and balances included in the execution of this loop include things
such as parity, a cumulative LRC, and checking to make sure I haven't run out of
samples. If everything checks out, the program terminates and returns with the
DPTR pointing to the decoded data buffer and the character count contained in
ACC. Should a decode failure occur, a test is performed on the direction flag
and if this is an attempt at a forward decode, the routine jumps to the reverse
initialization entry point. The reverse entry is similar to the forward decode
entry but sets up the sample pointer to the end of the sample buffer and sets
the direction flag to indicate a reverse operation.
The routines contained in the intermediate layer are shown in listing 3. The
meaning and operation of these routines should be apparent. The key routine in
this section is GET_BIT, which picks off the next bit from the sample buffer,
essentially restoring the sequential nature of the initial magnetic bit stream.
FIND_START is used to synchronize with the first one bit. GET_CHAR first checks
to make sure it hasn't run out of samples, then assembles the next 7-bit data
element while doing a parity test and LRC calculation. Any problems encountered
here are sent back to the caller and are handled there. STORE_CHAR translates
and deposits the data character into its respective location in the decoded-data
buffer and increments the character counter.
Listing 4 shows the low-level code. These routines perform the most rudiment-
ary functions and operate in accordance with the direction flag. INDEX_PTR
either increments or decrements the sample pointer, POSITION_BIT likewise does
either a right or left shift and LOCATE_BIT returns the state of the least- or
most- significant bit of the accumulator.
GO AHEAD, TAKE A SWIPE
Let me touch on a few additional points that may not be immediately apparent
before signing off. Storing the sampled data in a continuous stream makes the
sample routine work equally well with the various bit configurations used for
the different recording tracks. This would not be easily attained if you tried
to generate a particular element format during sample time. Furthermore, if you
look at the differences between the encoded character sets and the bit formats
for the different tracks, you will find that they differ in only a few areas.
With a few minor changes, such as the defined Start Sentinel, number of bits per
element, and character translation method, the decode routine I've shown could
easily be coerced to handle the decoding of any of the standard magnetic tracks.
As a matter of fact, by recoding and redefining the hard-coded constants as
variables, these could be set up for the particular data track at execution
time before invoking the decode function. Doing so would not only save program
memory, but would also allow you to use a routine you were comfortable with.
*******************************************************************************
FIGURE 1
_____________________________________________________________________
TRACK 1 |SS|FC| PAN |FS| NAME |FS| ADDITIONAL DATA |ES|LRC|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Notes: Track 1 is limited to 79 characters including SS, ES, and LRC.
Mastercard PAN is variable up to 16 characters maximum. VISA is 13 or 16
characters, including mod-10 check digit.
SS: Start sentinel (%)
FC: Format code
FS: Field separator ({)
ES: End sentinel (?)
LRC: Longitudinal redundency check character
PAN (primary account number): 19 digits max.
NAME: 26 alphanumeric characters max.
ADDITIONAL DATA: Expiration date 4
Restriction or type 3
Offset or PVN 5
______________________________________________________________________
TRACK 2 |SS|FC| PAN |FS| ADDITIONAL DATA |ES|LRC|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SS: Start sentinel (;) (hex B)
FS: Field separator (=) (hex D)
ES: End sentinel (?) (hex F)
LRC: Longitudinal redundency check character
PAN (primary account number): 19 digits max.
ADDITIONAL DATA: Expiration date 4
Restriction or type 3
Offset or PVN 5
*****************************************************************************
FIGURE 2
HEAD SIGNAL __/~\__ __/~\__ __/~\__ __/~\__ __/~\__ __/~\_______
`-` `-` `-` `-` `-`
____ _______ __________ ____
CARD PRESENT |______________________________________________|
____ ____ _____________________ ____ ____ _____
READ DATA |____| |_________| |_________|
____ ______ __________ __ __ __ __ __ __ __ __ __ __
READ STROBE |__| |_| |_| |_| |_| |_| |_| |_| |_| |_| |
| 0| 1| 0| 1| 1| 0| 1| 1| 0| 0|
___
HEAD 1-----X---X--------13 |MAG| 9--C2-R3
R1 C1 |TEK| |
HEAD 2-----X---X--------12 | | 10-----X--X
| | | |
X---X------11 | | | R5
X-X R2 C6 | | 6------|--X
| | X---X-------8 | | |
+5VDC --------------X--R7--X--------X-|-----------------14 | | 7-----C3
| |+ | | | ____
R6 C5 | | | 16----DATA
| X----------|------------------5 | | ______
____ _______ | | X------------------2 | | 15----STROBE
CARD PRESENT -------X------|-----------------------------1 | |
| X----X-----3 | |
| C4 R4----4 | |
GND------------------------X------------------X |___|
R=RESISTOR(Values weren't given)
C=CAPACITOR(Values weren't given)
X=CONNECTION BETWEEN WIRES
MAG TEK is the Mag-Tek 21006505
*****************************************************************************
LISTING 1-- Using several externally defined routines, a sample program to
read a stripe and store it in a buffer is very short.
PUBLIC READ_MAG1
EXTERN MS1_BUF (XDATA) ;sample buffer
EXTERN MS1_LIM (NUMBER) ;sample limit
EXTERN MD1_BUF (XDATA) ;decode buffer
EXTERN CP (BIT) ;card present bit
EXTERN M1_CLK (BIT) ;clock bit
EXTERN M1_DQ (BIT) ;data bit
M1_SS EQU 5 ;start sentinel
M1_ES EQU 1FH ;end sentinel
;
SEG CODE
;Sample and decode magnetic track 1
; output: ACC contains character count.
; DPTR points to data buffer
READ_MAG1 PROC
CALL MAG_SAMPLE
JZ L?RM1
CALL MAG1_DECODE
L?RM1: RET
ENDPROC
;General-purpose magnetic sampling routine
; output: ACC contains sample count
MAG_SAMPLE PROC
MOV DPTR,#MS1_BUF
MOV R1,#0 ;sample counter
L?MS1: MOV R0,#8 ;bit counter
L?MS2: JB CP,L?MS4
JB M1_CLK,L?MS2
MOV C,M1_DQ
L?MS3: JB CP,L?MS4
JNB M1_CLK,L?MS3
CPL C
RRC A
DJNZ R0,L?MS2
MOVX @DPTR,A
INC DPTR
INC R1 ;sample counter
CJNE R1,#MS1_LIM,L?MS1
L?MS4: MOV A,R1 ;final sample count
RET
ENDPROC
*******************************************************************************
LISTING 2-- Once the serial bit stream has been acquired, the decoding
algorithm takes over.
;Bidirectional magnetic track 1 decode routine
;input: sample count in ACC, output: ACC contains character count
; DPTR points to decoded data buffer
;Reg. usage for this routine (includes subroutines) as follows:
;R5: Direction flag, 0=forward
;R4: Cumulative LRC register
;R3: Decoded character counter
;R2: Nondecrementing sample count
;R1: Decrementing sample count
;R0: Bit syncronizing counter
MAG1_DECODE PROC
;1st pass, setup for forward decode attempt
MOV R5,#0 ;indicate forward decode
MOV DPTR,#MS1_BUF ;point to start of buffer
MOV R1,A ;sample counter
MOV R2,A ;sample count
JMP L?M1D1
L?M1D0: ;2nd pass, setup for reverse decode attempt
MOV R5,#1 ;indicate reverse decode
MOV DPTR,#MS1_BUF
MOV A,R2 ;sample count
DEC A
ADD A,DPL
MOV DPL,A
CLR A
ADDC A,DPH
MOV DPH,A ;point to end of buffer
MOV R1,2 ;sample counter
L?M1D1: ;decode initialization
MOV R3,#0 ;character counter
MOV R4,#0 ;inital LRC
MOV R0,#0 ;bit syncronizer
CALL FIND_START ;main decode loop
JNC L?M1D5 ;start bit error
CALL GET_CHAR ;Start Sentinel
JB ACC.7,L?M1D5 ;format error
CJNE A,#M1_SS,L?M1D5 ;start setinel error
L?M1D2: ;data byte or End Sentinel
CALL GET_CHAR
JB ACC.7,L?M1D5 ;format error
CJNE A,#M1_ES,L?M1D3 ;end sentinel not found
JMP L?M1D4
L?M1D3:
CALL STORE_CHAR ;data character
JMP L?M1D2
L?M1D4: ;LRC
CALL GET_CHAR ;get LRC
JB ACC.7,L?M1D5 ;format error
MOV A,R4
JNZ L?M1D5 ;LRC error
MOV DPTR,#MD1_BUF ;good return
MOV A,R3 ;final character
RET
L?M1D5: ;decode error, check if 1st pass
CJNE R5,#1,L?M1D0 ;check direction
CLR A ;bad return
RET
ENDPROC
*******************************************************************************
LISTING 3-- The intermediate layer of software is one level removed from the
nitty-gritty details.
;Get the next bit from the sample buffer
;output: C contains data bit
GET_BIT PROC
CJNE R0,#0,L?GB1 ;bit synchronizer
MOV R0,#8
PUSH ACC
MOVX A,@DPTR
CALL INDEX_PTR
MOV B,A
POP ACC
DEC R1 ;sample counter
L?GB1: XCH A,B
CALL POSITION_BIT
XCH A,B
DEC R0 ;bit synchronizer
RET
ENDPROC
;
;Find the first '1' bit in the sample buffer
;output: C=1 if bit is found
FIND_START PROC
L?FS1:
CJNE R0,#0,L?FS2 ;bit synchronizer
MOV R0,#8
MOVX A,@DPTR
CALL INDEX_PTR
DJNZ R1,L?FS2 ;sample counter
JMP L?FS4 ;out of samples
L?FS2: CALL LOCATE_BIT ;test for a '1' bit
JC L?FS3
CALL POSITION_BIT
DEC R0 ;bit synchronizer
JMP L?FS1
L?FS3: ;good return
MOV B,A ;save copy in B
SETB C
RET
L?FS4: CLR C ;bad return
RET
ENDPROC
;
;Get the next 7 bit element from the sample buffer
;output: ACC contains data element
; error flag is ACC.7
GET_CHAR PROC
MOV A,R1 ;sample counter
JZ L?GC2 ;out of samples
MOV R7,#7 ;bit counter
CLR A
L?GC1: CALL GET_BIT ;next bit
RRC A
DJNZ R7,L?GC1
RR A
JNB P,L?GC2 ;parity error
ANL A,#3FH ;discard parity
PUSH ACC
XRL A,R4 ;calculate LRC
MOV R4,A
POP ACC ;good return
RET
L?GC2: SETB ACC.7 ;bad return
RET
ENDPROC
;Translate and store the data character
;input: ACC contains data character
STORE_CHAR PROC
PUSH DPL
PUSH DPH
PUSH ACC
MOV DPTR,#MD1_BUF
MOV A,R3 ;character counter
ADD A,DPL
MOV DPL,A
CLR A
ADDC A,DPH ;generate displacement
MOV DPH,A
POP ACC
ADD A,#' ' ;translate
MOVX @DPTR,A ;store
POP DPH
POP DPL
INC R3 ;character counter
RET
ENDPROC
*******************************************************************************
LISTING 4-- The low-level routines get right down to the ground and take care
of the gory details.
;Index the sample pointer either forward or backward
INDEX_PTR PROC
CJNE R5,#0,L?IP1 ;check direction
INC DPTR ;forward
RET
L?IP1: PUSH ACC ;backward
DEC DPL
MOV A,DPL
CJNE A,#-1,L?IP2
DEC DPH
L?IP2: POP ACC
RET
ENDPROC
;Position bit is in ACC into C in either a right or left shift
POSITION_BIT PROC
CJNE R5,#0,L?PB1 ;check direction
RRC A ;forward
RET
L?PB1: RLC A
RET
ENDPROC
;Locate a 1 bit, either msb or lsb
;output: C=1 if bit is a one
LOCATE_BIT PROC
CJNE R5,#0,L?LB1 ;check direction
MOV C,ACC.0 ;forward
RET
L?LB1: MOV C,ACC.7 ;backward
RET
ENDPROC
*******************************************************************************
Contact:
Mag-Tek, Inc.
20725 S. Annalee Ave.
Carson, CA 90746
(213) 631-8602
fax: (213) 631-3956
*******************************************************************************
--
_
__ | __ | ` __ __ clafave@holonet.net
| | __| ~|~ __|| ||__| Beaverton, Oregon USA
|__ |_ |__| | |__| \/ |__. GO BLAZERS!