January 26, 2012
7:20 pm
by: Rick

Oobleck

Oobleck is a word people use to describe a mixture of cornstarch and water.  When you mix it in the right proportions, you form a non-Newtonian fluid.  This fluid has properties of both a liquid and a solid.  When it undergoes shock, it stiffens up like a solid and resists change.  If you slowly press the substance it will allow your finger to sink into it like a thick liquid.  If you pick up a glob of the substance it will ooze down around your hand and drip back down as though it were a think liquid.

I once saw an episode of Mythbusters where they made a large vat of this stuff.  Adam was able to run across the top of it by stepping hard onto it to create a shock so the substance stiffened.  I decided that I would like to do something similar to this some day.  I want to make a sort of pathway of oobleck.  I envision the pathway being about 6 inches deep, 5 feet long and 2 feet wide.  This should be enough to allow a person to run across the top but also to sink into.  I found a website online that sells 50lb bags of cornstarch for less than $20.00. I ran through some of the equations for this here:

These equations use the oobleck recipe from this website.  I used the recipe of 1 part water to 1.5 parts cornstarch.  It is possible I may have to mix in more starch if needed.

Platform Size: 15cm tall by 60cm wide by 152cm long

15cm * 60cm * 152cm = 136800cm^3 of total space the oobleck needs to take up

How many cups of cornstarch is in 50lbs?

WolframAlpha says there are 488 calories in 1 cup of cornstarch.
WolframAlpha also says that there are 86409 calories in 50lbs of cornstarch.
86409 calories / 488 calories = 177.1 cups of cornstarch in 1 50lb bag.

How much water do we need?

1.5x * 1x = 136800cm^3
1.5 * 2x = 136800cm^3
2.5x = 136800cm^3
x = 54720cm^3 of water needed

How much cornstarch do we need?

136800cm^3 – 54720cm^3 = 82080cm^3 of cornstarch
1 cup = 236.6cm^3 according to WolframAlpha
82080cm^3 / 236.6cm^3 = 346.91 cups of cornstarch
346.91 cups / 177.1 cups = 1.96 50lb bags of cornstarch.

According to my math (hope it’s right!) I would need just under two 50lb bags of cornstarch to build this thing.  It would probably be wise to purchase a third bag as well in case there isn’t actually 50lbs of cornstarch in each bag.  Also, the recipe calls for 1.5 to 2 parts of cornstarch, and two bags is barely enough to hit the minimum mark.  It’s possible I will need more than that in order to get the desired effect.  Hopefully I can turn this into a reality some time this year.

Posted in Chemistry, Idea

January 9, 2012
7:23 pm
by: Rick

Site Back Online

I finally got my blog back online today. I will now have to go back and document all the projects I’ve worked on since it went offline last August.

The short version of the story is I lost my old free web hosting and it took a long time for me to get the hard drive with all my data on it.  When I finally received the drive, I was lacking motivation to get the site back online.  After trying to get the site hosted at home I finally decided I don’t like having to use a non standard port to host my site (Comcast blocks port 80 for home customers).  I realized today that my domain name is expiring soon and it’s a perfect opportunity to switch away from Godaddy.  I decided to move my domain over to Dreamhost and at the same time I decided to just finally pay for shared hosting for my site.  After much mucking around with transfering domains and moving all the blog files and databases over to the new server, it’s finally back online!

I look forward to documenting my projects again Smilie: :)

Posted in Update

June 20, 2011
5:32 pm
by: Rick

Metasploit on Android

I’ve been wanting to figure out a way to run Metasploit from my first generation Motorola Droid for quite some time.  Messing with my phone is fun but I tend to stray away from doing it very often since it’s my primary tool for communication.  If I brick it or otherwise render it useless I wouldn’t be able to make or receive phone calls (who has a land line anymore?).  That being said, I did some research and I finally found a way I thought I could safely get Metasploit running on my phone.  Here is how I did it.

First of all, your phone has to be rooted.  I rooted my phone months ago and I can’t remember exactly how I did it.  A quick Google search brought me to this website.  The instructions on there look very familiar and I am pretty sure that is how I did it.  Regardless of how you accomplish this task, just know that you will need root access eventually in order for this to work.

Next I had to get the Chevyno1 rom image installed on my phone.  But I wasn’t able to get it installed properly with my old bootloader.  I first had to install the latest version of the RZR boot loader.  I just followed the instructions on that site for updating my bootloader.  The steps you take may differ depending on what bootloader you currently have installed.  The steps I took were:

  1. Download the zip file.
  2. Rename it to update.zip.
  3. Upload the file to the root of your SDCARD on your phone.  I did this by plugging in my phone to my laptop’s USB port with the USB cable and enabling USB storage.
  4. Reboot your phone into the boot loader.  For me, I did this by holding down the ‘X’ key on the slide out keyboard while the phone was first booting.
  5. Once I was in the boot loader menu I had to enable updating from update.zip.
  6. Then I just triggered the update.

After this I rebooted the phone and the new boot loader was installed.  The next step was to get ChevyNo1′s rom image installed on my phone.  This process is basically the same as the last process with one important addition.

  1. Download the rom image.  I used the unthemed image.
  2. Rename it to update.zip and place it in your SDCARD’s root folder just like last time.
  3. Reboot the phone into the boot loader again.
  4. This time, I wiped all cache and data.  This will erase all of the data on your phone’s internal memory.  If you have anything you want to save, make sure you back it up first or it will be gone forever.
  5. Once the data was wiped, I enabled updating from update.zip and then ran the update.

After another reboot, I was booted into ChevyNo1′s ROM image.  I have to say I was impressed with this custom ROM.  I haven’t tried many of them but this one seems to run much faster than the stock image I was running previously.

Now comes the cool part.  I had heard that some people have been able to get actual distributions of Linux running on the Droid phones.  After some searching around, I found someone who managed to get Back Track 5 running on their Android phone.  This was awesome news because Back Track not only contains Metasploit, but it has tons of other awesome security tools as well.  I figured this was exactly what I needed to get running on my phone.  I mostly just followed the instructions on the forum page I linked to, but I will map out my process here too because there were some tricky parts to it.

  1. Install BusyBox.  I just found an app in the marketplace called “BusyBox Installer”.  There was a free one and that seems to have worked fine.  If you don’t install BusyBox this will definitely not work.
  2. Download the BT5 zip file from one of the listed mirrors.  I used this one.
  3. Extract the file on your PC. Once it is extracted, you should just have a folder called bt5.  If you notice this folder is over 3GB in size once extracted.  You will need to make sure you have enough room on your SDCARD for this folder.
  4. Copy the bt5 folder to your SDCARD root directory using either the phone’s USB cable or by sticking the microsd card in your computer.
  5. Now open up a terminal application on your phone.  You should be greeted with a prompt that looks like “$”.
  6. Change to the root user.  You can do that by just typing in “su” and pressing enter.  If it works, you should be greeted with a “#” prompt.  If it doesn’t work then you probably didn’t root your phone properly.
  7. Now change directory to the bt5 directory by typing in “cd /sdcard/bt5″.
  8. Now the instructions from the forum say to just type in “bt” and it should boot the back track OS.  This didn’t work for me.  I figured out that the reason is that the first generation Motorola Droid doesn’t natively support the EXT2 file system.  Luckily, ChevyNo1′s ROM image came with a loadable EXT2 kernel module.  To check if your phone supports EXT2, type in this command, “cat /proc/filesystems”.  If you see “ext2″ in the list then skip step 9.  If you don’t see it, then proceed to step 9.
  9. Load the EXT2 module that came with ChevyNo1′s rom image.  Do this by typing in “modprove ext2″.  To see if it worked, type in “cat /proc/filesystems” and see if it lists ext2 now.  If it does then proceed but if not then you have a problem somewhere.  You will need to find a ROM image for your phone that supports EXT2 in order to continue.
  10. Now make sure you are in the /sdcard/bt5 directory and type in “sh bt”.  If all goes well you should see some text on the screen.  If you are like me, you will see some errors involving “mkdir”.  If not then you may be lucky and you can skip the next step.
  11. When I tried to startup Back Track 5 I got some errors about the mkdir command.  The Android system doesn’t support that command natively.  Busy Box adds the support.  For some reason, the Busy Box installation I chose did not fix the symlink for the mkdir command so I had to do it myself.  Just use the following command, “ln -s /system/xbin/busybox /system/bin/mkdir”.  This wil create a symlink so when you or the BT5 scripts try to run the mkdir command, it will use busybox to do so.  This fixed the problem for me and I was able to continue.
  12. At one point it will ask you if you want to start a VNC server.  This will allow you to use a VNC viewer from a PC to log into your phone and get a desktop.  You can do this if you want, but the Droid phone has so little RAM that I find the desktop interface is practically unusable.  I just say “No” to this prompt.
  13. Now you should be greeted with a new command prompt!  Mine says “root@localhost”.  If so, then congratulations because you have Back Track 5 running on your cell phone.

The whole reason I went through this process was to get Metasploit running on my phone.  So how did I do that?  Easy.  Once you are at the root@localhost prompt just type in “msfconsole”.  It takes a good 15-20 seconds or so for it to load, but it should eventually.  I have used this console to successfully exploit a Windows 7 Virtual machine running on my laptop.  I was able to get a remote shell prompt as well as start the remote desktop service and then use an Android RDP client to connect to it using a user I added with the exploit.  It’s fantastic.  I can also run other programs such as NMAP.

I quickly grew tired of having to load the ext2 module every time I rebooted my phone, as well as typing all of the other commands on my little Droid keyboard.  To overcome this, I wrote a few scripts on my phone.  First, I wrote a script called “bt” and saved it to /system/bin/bt in the Android filesystem (not the BT5 filesystem).  I had to “chmod +x” it in order to make it executable.  In this file is just 4 lines of code:

#!/system/bin/sh
modprobe ext2
cd /sdcard/bt5
sh bt

Now whenever I want to start up Back Track 5, I just open a terminal window, type in “su” to change to root, then I type in “bt”.  The script automatically loads the ext2 module and starts up Back Track for me.

Some things to keep in mind with this.  As far as I can tell, the Back Track installation cannot communicate over the 3G network.  It can only communicate via wifi.  I always connect to an access point before starting up the BT5 instance and it seems to work fine.  Also, my phone has very little RAM.  This means that if I am running a Metasploit instance and then try to start up some other program leaving the terminal window in the background, the phone runs out of memory and kills the terminal.  This closes everything I have done in Metasploit and I have to start all over.  It’s best to just leave the terminal window open at all times when working with Metasploit.  Another thing to note is that BT5 will start an ssh server on your phone.  You can log into that server from a workstation with the username of root and the password root.  This is good to know because it is much easier to type on a real keyboard.  It’s also good to know because anyone can ssh into your phone with that simple password.

Posted in Hacking, Mobile, Project, security

June 6, 2011
10:25 pm
by: Rick

Pneumatic Rocket Launcher

Pneumatic Rocket Launcher

Pneumatic Rocket Launcher

On May 29. 2011 Ellery and I decided to build an air powered rocket launcher. We were inspired by a project that was displayed at this year’s Bay Area Makerfaire. The rockets are made out of paper and tape and can be built in just a few minutes. It was a quick and cheap project that has so far resulted in tons of fun. I highly recommend anyone try this themselves if they like to have fun. Check it out over in the completed projects section.

Posted in Pneumatics, Project

May 9, 2011
1:03 am
by: Rick

Rubens Tube

My friend Ellery and I decided to build a Rubens tube this weekend. Check it out under the completed projects section. It’s awesome! We also built a vortex cannon last weekend. I’ll try to get some information up about that later this week when I find some time.

Success!

Posted in Fire, Sound, Update

March 4, 2011
11:15 am
by: Rick

Thing-o-matic Has Arrived!

My Makerbot Thing-o-matic finally arrived Wednesday afternoon after four weeks of waiting.  I spent pretty much my entire night working on it.  I managed to complete the X and Y stages, which include the automated build platform.  I had a hard time getting the ABP rollers into place with the belt that came with the kit.  It was so tight it was nearly impossible to get them in.  I ended up having to put one in first, then pull it out a bit to give a bit of room to get the second roller in halfway.  Then it was a matter of forcing them both down.  I think the belt may have pressed too hard against a piece of the wood and created a small dent in the belt.  I’m hoping that won’t effect printing.  The kit did come with two extra belts if this does become a problem.

X and Y axis

X and Y axis

Posted in 3D Printer, Project

October 7, 2010
11:17 pm
by: Rick

Back in Action

Wow I haven’t updated my blog in over a year…  That’s sad.  I have been working on stuff I swear.  I guess I just got too lazy to write about it.  I’m going to attempt to kill that laziness again and start writing about what I’m working on.  I am once again working on the Magomatic.  A few months back I upgraded it with an LCD screen and some buttons.  The idea was that I could scan in a magstripe card, edit the data using the screen and the buttons, then emulate the changed data.  I was able to get the data editing to work, although it was a bit glitchy at times, but unfortunately somehow the emulation seemed to have broken.  Eventually I got frusterated and called it quits.

I have decided to redo this entire project with the goal of having the editing built in.  I am going to be re-coding the whole thing for the Arduino.  I have decided to go the Arduino route since it seems to be much more popular than the SX chip and I think more people might get use out of any good information I find.  Also the Parallax SX chip is now end of life so who knows how much longer it will be around.

As of right now, I have some working code on the Arduino that will read in the magstripe data from a TTL Track 2 reader.  The same reader I was using before.  It doesn’t convert it into the actual number values yet but it does properly read in the binary.  There is no error checking since I haven’t deemed that part important yet.

I also have a bit of code that seems to emulate data properly, but my other magstripe reader does not read the data.  If I use my “pseudo sound card ghetto-scope” I can see the waveform generated by the Arduino and it appears to be outputting all of the correct data bits the same way the SX chip was.  Last night I wound a new coil to make a new emulator in case the one I had been using somehow broke over the months it has been kicking around in my trunk but it was a no go.  I am starting to think either the Arduino is not putting enough power through the coils, or this new magstripe reader I have is not as susceptible to this attack.  This reader can read tracks 1 and 2 so perhaps since I am blasting track 2 data at both read heads it is confusing the reader.  I can see the green light on the reader going away when I emulate data but it doesn’t output anything.  Even if it gets bad data it should output an error code but I get nothing instead.  I suspected that track 1 would show an error but track 2 would be emulated.

Because I get no errors or anything I am thinking that maybe I need to up the power going into the coil.  To do this, I will probably have to use a transistor to run 5V directly from the power supply to the coil instead of powering the coil from the Arduino pin.  If this doesn’t work, I might need to up the voltage still.  The SX chip only outputs 5V from its pins though and that worked fine.

I also lost the adapter board I had that allows me to hook the TTL magstripe reader up to a USB port.  I know for a fact that I could successfully emulate data into that reader.  Also, that reader will output raw binary data that it sees, regardless of whether it is good data or not.  The two track reader I have will decode the data for you and then output that, so if the data is bad you don’t see anything.  Because of this, I am trying to build a new adapter board to hook up the TTL reader to my computer’s PS/2 port via an Arduino.  I found some handy information online about interfacing with a PS/2 port and I will document what I found here.

The following information was found on this page.

  • The PS/2 mouse and keyboard implement a bidirectional synchronous serial protocol.
  • The bus is “idle” when both lines are high (open-collector).
  • This is the only state where the keyboard/mouse is allowed begin transmitting data.
  • The host has ultimate control over the bus and may inhibit communication at any time by pulling the Clock line low.

Data = high, Clock = high:  Idle state
Data = high, Clock = low:  Communication Inhibited
Data = low, Clock = high:  Host Request-to-send

  • 1 start bit.  This is always 0.
  • 8 data bits, least significant bit first.
  • 1 parity bit (odd parity).
  • 1 stop bit.  This is always 1.
  • 1 acknowledge bit (host-to-device communication only)

The site also has some handy schematics for interfacing a microcontroller to a PS/2 port.

Posted in Electronics, Project, security Tagged , , ,

April 5, 2009
6:23 am
by: Rick

Magomatic Brute Forcing?

I was writing up the page for the Magomatic and started on the improvements section.  I realized I started going on and on about a possible brute-forcing function and I decided that it would be better suited for a post instead of putting it on the page.  So prepare yourself, as I am about to dump everything I can think of regarding brute forcing magstripe card door locks.

I was thinking that since I can just read card data with a computer,  I should be able to read a room number off the card, alter that data to another room number, and put that information on my emulator.  This would work in theory, but what if the card contains encrypted data?  Then you would not know what represents the room number.  What’s more, what if the card does not conform to the track 2 standard?  They could use their own protocol.  Either way, all I will see are 1′s and zeros.

Since the encrypted data is still only 1′s and 0′s, you could potentially try every possible combination of 1′s and 0′s until you found a combo that worked. Analyzing multiple cards of the same type, (door keys for example) you could potentially see how much data changes from room to room or date to date.  You could then lower the amount of bits you would have to brute force to just the number of bits that change.  This may be impractical seeing that to brute force each bit would mean that the total number of possible combinations is equal to 2^n where n is equal to the number of bits required to brute force.  That means for just 10 bits you would have to try 2^10 = 1024 combinations.  It would probably take the magstripe reader about 1.5 – 2 seconds to deny a card.  If it took 2 seconds, that means brute forcing 10 bits would take (1024 * 2) / 60 = 34.13 minutes.  That might not be worth the time.

Another option for brute forcing is to brute force each byte, rather than each bit.  This will only work if the magnetic stripe key follows valid track protocol and is not encrypted.  In this case, you could just read the data on your computer and alter whatever you wanted, however what if you wanted a hand held device to do everything for you automatically?  It is rather cumbersome to hook up a reader to a laptop, scan the card, alter the data, program a microcontroller, put the micro in your emulator, and then open a door.  It would be much nicer to have a device that could just brute force open any door.

If one of these cards follows valid track 2 format, then you could just brute force every 5 bits (there are 5 bits in a byte in track 2 format) rather than every single bit.  However, now you have more possibilities for each byte.  It’s not just either a one or a zero.  Each byte can represent 11 different characters (0-9, =).  I found this information by consulting this resource.  Track 2 also states that there are 37 data bytes between the start and end sentinal values.  This means that the total possible combinations you would have to brute force would be 11^37= way too many to be worth the time.  In this case, the best thing to do would be to analyze the data on a computer, figure out where the room number and/or expiration date is stored, and then program a microcontroller to try every possible room number while keeping the other data the same.  It could then make sure that the date was some date way in the future to ensure it would work.  Better than this, you could put an interface on the device to program the exact room number.  Using a serial LCD and a few buttons, you could view the data after it is scanned into the device.  Then the buttons can be used to alter the data or just punch in the room number.

Brute forcing these things seems mostly impractical due to the fact that it would take forever to brute force all the data on a card but in the event of encryption, it may be necessary.  If you can narrow down just a few bits that need brute forcing it would be worth it.  I’ll have to experiment once I have some data to analyze.

Posted in Electronics, Project, security Tagged , , ,

April 4, 2009
6:33 am
by: Rick

Magstripe Emulator Device Complete

I first became interested in magstripes a few years back.  I found a few resources online that explained how you can build a primitive magstripe reader using just a magnetic readhead from a walkman and a headphone jack.  You can use custom software to look at the waveform that is created and decode the binary data.  I never was able to get that working right, most likely due to now being able to swipe the read head over the card in the exact right spot.  A few weeks back I finally decided to bite the bullet and just buy a magstripe reader online so I could play with magnetic stripes.

After reading through the StripeSnoop site I decided to buy a 30$ TTL magstripe reader.  These seem to be the simplest to use and they work with StripeSnoop.  However, StripeSnoop requires a gameport or parallel port connection, and most computers nowadays do not have either of those.  I wanted to be able to use my reader on any system.  I found this guide that shows how to make a sort of USB adapter for the TTL reader.  It basically reads the TTL signals from the magstripe reader, and then “types” them into the computer as though it is a keyboard.  If you have a notepad window open it will just dump a long string of 1′s and 0′s into the window.  StripeSnoop has a -i option that takes input from the keyboard so all of this should work together.  I purchased one of the adapter boards along with the magstripe reader. Five days later they both showed up at my door and in about an hour I had everything hooked up on my computer and functioning.  My reader only reads track two, although I cold read track one if I put a small piece of plastic in the bottom of the reader to raise up my cards by exactly one track size.  For now, reading just track two will work fine since my research showed that most cards use that track anyway.

Enter the idea for the magomatic.  I’ve had this idea for a while but it keeps changing slightly in my mind.  I essentially want the ability to read a magstripe card and then emulate it back.  This is different from cloning a magstripe card onto another card.  This is basically “recording” the magstripe data and then “playing” it back as though it is coming from a magstripe card, even though it is not. I first thought that the easiest way to accomplish this goal would be to record the magstripe data as audio, and then play it back out through an amplifier, into an electromagnet.  I had found this instructable where someone did something similar and prooved that it works.  This person would scan in the data, and then put it into a C program.  The c program would encode the binary data into a wav file.  He could then put the wav file on his iPod, play it out through an amplifier and into an electromagnet.  He included a video to proove that the concept works.  This is how I started the project.

I had to proove to myself that his idea worked. I created an electro magnet and downloaded his source code.  I also purchased a small battery powered amplifier from RadioShack that was able to boost an audio signal pretty loud.  I wasn’t able to get the C program to work correctly so I ended up changing some of the code around.  I altered it so I could just paste the raw binary data from my card into an array in the program.  It would then encode that data, rather than converting symbols and letters into binary data and having to generate valid checksums.  After some fiddling with the code and with volume settings I was able to get this working.  I could play the audio file out of my headphone jack, through the amplifier, into the electromagnet, and then into the card reader.  The card reader thought I had swiped my card.  Success.

The next step was figuring out how I could store the data on something portable.  I didn’t want to have to lug around a computer.  My idea was to have a small, handheld device that could read a card and then instantly play it back.  I bought a small picture frame from RadioShack that included a 10 second voice recording module.  It is supposed to be used to store a message along with your photograph.  I had other plans.  I ripped that picture frame appart and pulled out the small recording module.  I removed the microphone and the speaker and just left some wires attached.  To test the module, I hooked my computer’s headphone port up to the microphone wires of the circuit using some aligator clips and a 1/8 inch mono jack.  I pressed the record button on the module and then played the working wav file through the headphones.  I then moved the aligator clips to the speaker wires and plugged the headphone jack into the audio amplifier.  I then had another set of clips going from the amplifier to the electro magnet.  After fiddling with the volumes for recording and playback, I had it working.  I now knew that it was possible to record magstripe audio data onto this module and play it back without losing the data.

The last step was to create my own simplistic reader from a magnetic read head.  I bought an old Walkman from the local Goodwill for $4.  The read head was not difficult to remove.  Unfortunately, I had a terrible time figuring out how to build a mechanism that would line up the read head exactly to track two of the magstripe card and swipe in a nice, straight line.  I tried a few things but everything failed.  I could tell it was picking up data but I never knew what track(s) it was from.  Eventually, after all that work, I had to give up on the audio idea.

It was time to come up with a new plan.  How else could I record the data and play it back though?  I had already been thinking it would be nifty to be able to record the data digitally, rather than via an analog signal.  Having the actual data would allow the possibility of data manipulation.  Why would it be good to manipulate the magstripe data?  One application is in hotels.  Most hotels use magstripe cards as room keys.  What if that data was not encrypted?  What if I could just read the data, see the room number in the data, and then change it to another room number?  I could open any room in the hotel!  I could even put a number pad on the device to allow me to choose what room I wanted to enter.  This is just one interesting application that I thought of.  But how could I accomplish this?

I pretty much instantly thought of using a microcontroller.  I assumed that a Basic Stamp would be too slow to read the magstripe data, and also, Basic Stamps are expensive at around $50 a pop.  My next thought was the use the Parallax SX chip, since it’s the only other microcontroller that I have used and have a programmer for.  To prevent myself from re-inventing the wheel I Googled around to see if anyone else had interfaced a magstripe reader to an SX chip before.  I got lucky and found one article where someone did just that.  He also used the easier to understand SX/B code rather than assembly so it worked rather well for me.

I was going to have to edit the code, though.  He was using a serial LCD for output but I don’t have one of those.  My only real option was to set WATCH’s on the variables that hold the data and then poll for the variables while debugging.  After a few days of fiddling, frustration, code editing, etc I had to give up for a bit.  I was having a terrible time making that code work with my reader.  The author had used a similar, yet different reader and his code just wasn’t working right for me.  At this point I had changed pretty much all of it and simplified it as much as possible and still wasn’t getting anywhere.  I decided to focus my attention on the emulation part of the project.

I figured it would be a waste of time to finally get this reader working, only to find out that I was unable to emulate magstripe data with the SX.  Emulating the data turned out to be a piece of cake.  I created two SX/B functions to output either a one or a zero depending on which function was called.  You essentially have the electromagnet hooked up to two SX pins.  If you want to output a one, you just turn one pin off, and the other on, then after about 1ms you switch them.  For a zero, you turn one pin on and the other off, but after the 1ms delay you leave them in the same position for 1 ms.  You can then “flip the pins” to make the current travel through the electromagnet in the other direction.  I wrote a simple program to output a fake credit card number, including the start sentinal, end sentinal, checksum bits, and the LRC byte.  The extra information was necessary for StripeSnoop to properly decide data.  More information on magstripe protocols can be found at this great resource.

Now it was time to get back to the card reader.  It took another 2-3 days of fiddling before I finally got this part working, but I did.  I was able to store the credit card information in a byte array, and then play it back through an electromagnet into my computer.  StripeSnoop thought I swiped my credit card.  Victory at last!  But I still had to merge the reader function with the emulation function.

Initially, the reader function would specifically wait for the start sentinal character and then collect data in 5 bit intervals.  This is how the typical stripe 2 protocol works.  After thinking about it, though, I realized that hotel systems and other systems might not follow that protocol.  They could very well use their own system.  That’s when it occured to me that for simply replaying the data, I didn’t even have to collect it in such a tedious manner anyway.  That is only benneficial if I want to view the data in a way that I can read it.  Instead, I altered the code to just fill up each byte all the way, instead of only the first 5 bits.  I ended up with two 16-byte arrays.  As you swipe the card, it stores the binary data in each bit of those arrays.  Once the data is stored in the variables you just put the magnet inside the card reader, press a button, and it reads through the variables bit by bit and powers the electromagnet as necessary.  Everything worked as it should.  I now had a working magstripe emulator.

I spent all morning and early afternoon drawing up a schematic, collecting parts, soldering, and troubleshooting.  After a few hours I had a working circuit board.  About 4 hours ago I was able to fit everything into a project box the way I wanted.  I did one last test with everything fitted to make sure it still worked and it worked just fine.  My goal of having a portable, battery operated device capable of cloning magstripe cards is now a reality.  I’m heading to Las Vegas in one week for a short vacation with my family.  I can’t wait to test this thing out.  I’m hoping that the hotel uses track two so I won’t have to try and read tracks one or three and mess with my reader.  I’m also hoping that the keys are encrypted in any way.  This might let me program the SX with my laptop to open other doors.  I’ll post an update once I get back with the results of my experiment.

I’ll also take some photos of the device and post them on the project page.  If I am able to get it to open my hotel room door I’ll definitely post up a video as well.

Posted in Electronics, Project, security Tagged , , , ,

December 9, 2008
4:36 am
by: Rick

Packet Radio

Last February I got my Technician class amateur radio license.  Why?  Because I became really interested in high altitude ballooning.  After looking at those pictures how could anyone NOT become interested?  The hobby consists of launched a weather balloon up in excess of 90,000 feet.  The balloon carries a payload that contains a GPS unit for tracking, and a radio to transmit the GPS coordinates back down to the ground, among other things.  Another device called a Terminal Node Controller (TNC) takes the GPS data and turns it into an audio signal to send over the radio.  The TNC also presses the Push to Talk (PTT) switch on the radio before sending the audio.  Essentially a TNC is a radio modem.  It takes digital data and turns it into audio to transmit through the air.  TNC’s can allso to the reverse, and take an audio signal input from a radio to turn it back into digital data.  Without this technology, high altitude ballooning wouldn’t be possible.  Why send up a balloon to take photos if you can’t recover the payload?

This got me thinking.  You can send GPS data over radio, so why can’t you send other data over radio?  Well, you can.  In fact, people have been doing this for a LONG time.  My problem was, TNC’s are expensive.  Several hundred dollars expensive.  After some Googling, it found out that you can actually use your computer’s sound card as a modem.  Makes sense right?  There is software called soundmodem that runs on multiple operating systems that does just this.  It creates a virtual KISS TNC interface in your system for use with packet radio programs.  All you really need is some audio cables, and a PTT interface.  Luckily, a serial PTT interface is really easy to build.

I did some testing yesterday morning with packet radio using a manual switch.  To make the switch, I just cut the ground wire of a 1/8″ stereo audio cable and soldered a momentary pushbutton switch to it.  When I want to send audio out of my radio from the computer, I just hold the switch down manually and set the packet radio software to transmit.  It took some fiddling, but I finally got it working.  I transmitted from my PC running a virtual Ubuntu install through one radio.  The signal went through the air and out the microphone jack of a second radio plugged into my laptop running Windows XP.  I sent the message “KE7SAL testing testing” and the laptop recieved it.  There were some extra garbage characters before and after the message, but none in between.  It was pretty awesome.  The software I was running is called fldigi.  It runs on both Windows and Linux and worked really well.  At first I tried transmitting with fldigi and receiving with digipan, but digipan could not pick up the signal properly.  I tried tweaking settings but to no avail.  Once I switched to using the same program for send and receive it worked flawlessly.

Now that I can send data to myself, I want to send data to somewhere else!  Although it’s cool knowing that I can do it, it’s just not as cool as actually using it for a purpose.  Until some friends of mine get set up with packet radio gear I will need to find another way to go about this.  That’s where a BBS comes in.  A radio BBS is kind of like an old telephone computer BBS.  You can “dial” into it with your radio and a computer and send/receive messages.  Most BBS’s now adays are also connected to the Internet so you can send and receive emails via radio.  There are a few in my city, although I’m not sure I will be able to hit them from my apartment.  Maybe if I use an external antenna and place it in a good location outside.  Regardless, I’m going to start getting my computer’s set up to deal with BBS’s this week.  Here is a breakdown of the steps as far as I can tell:

1) Make sure the AX.25 protocol is enabled in my kernel.  This is the network protocol that packet radio uses to communicate with BBS’s among other things.

2) Make sure KISS mode TNC’s are enabled in the kernel.

3) Install soundmodem.

4) Configure soundmodem using the soundmodemconfig utility.

5) Install jnos2.  jnos2 is a packet BBS software.  I believe it can be used as a BBS client or as a BBS server.  This could prove to be fun to experiment with later on.

6) Configure jnos2 to use the soundmodem interface

7) Build the PTT interface.

That should be about it… I think.  After all of that is done I believe I should be ready to communicate with BBS’s , or just communicate using the AX.25 protocol in general.  If I get a friend to run jnos2 we should be able to send/receive email with each other via radio whenever.  I’m getting pretty psyched about this for some reason.  There’s just something cool about knowing you can transmit any data you want all over the place wirelessly without requiring any type of phone, cable, internet, etc service.  All you need is electricity!

Posted in Project, Radio Tagged , , ,