I was thinking that since I can just read card data with a computer,  I should be able to read a room number off the card, alter that data to another room number, and put that information on my emulator.  This would work in theory, but what if the card contains encrypted data?  Then you would not know what represents the room number.  What’s more, what if the card does not conform to the track 2 standard?  They could use their own protocol.  Either way, all I will see are 1’s and zeros.

Since the encrypted data is still only 1’s and 0’s, you could potentially try every possible combination of 1’s and 0’s until you found a combo that worked. Analyzing multiple cards of the same type, (door keys for example) you could potentially see how much data changes from room to room or date to date.  You could then lower the amount of bits you would have to brute force to just the number of bits that change.  This may be impractical seeing that to brute force each bit would mean that the total number of possible combinations is equal to 2^n where n is equal to the number of bits required to brute force.  That means for just 10 bits you would have to try 2^10 = 1024 combinations.  It would probably take the magstripe reader about 1.5 – 2 seconds to deny a card.  If it took 2 seconds, that means brute forcing 10 bits would take (1024 * 2) / 60 = 34.13 minutes.  That might not be worth the time.

Another option for brute forcing is to brute force each byte, rather than each bit.  This will only work if the magnetic stripe key follows valid track protocol and is not encrypted.  In this case, you could just read the data on your computer and alter whatever you wanted, however what if you wanted a hand held device to do everything for you automatically?  It is rather cumbersome to hook up a reader to a laptop, scan the card, alter the data, program a microcontroller, put the micro in your emulator, and then open a door.  It would be much nicer to have a device that could just brute force open any door.

If one of these cards follows valid track 2 format, then you could just brute force every 5 bits (there are 5 bits in a byte in track 2 format) rather than every single bit.  However, now you have more possibilities for each byte.  It’s not just either a one or a zero.  Each byte can represent 11 different characters (0-9, =).  I found this information by consulting this resource.  Track 2 also states that there are 37 data bytes between the start and end sentinal values.  This means that the total possible combinations you would have to brute force would be 11^37= way too many to be worth the time.  In this case, the best thing to do would be to analyze the data on a computer, figure out where the room number and/or expiration date is stored, and then program a microcontroller to try every possible room number while keeping the other data the same.  It could then make sure that the date was some date way in the future to ensure it would work.  Better than this, you could put an interface on the device to program the exact room number.  Using a serial LCD and a few buttons, you could view the data after it is scanned into the device.  Then the buttons can be used to alter the data or just punch in the room number.

Brute forcing these things seems mostly impractical due to the fact that it would take forever to brute force all the data on a card but in the event of encryption, it may be necessary.  If you can narrow down just a few bits that need brute forcing it would be worth it.  I’ll have to experiment once I have some data to analyze.

After reading through the StripeSnoop site I decided to buy a 30$ TTL magstripe reader.  These seem to be the simplest to use and they work with StripeSnoop.  However, StripeSnoop requires a gameport or parallel port connection, and most computers nowadays do not have either of those.  I wanted to be able to use my reader on any system.  I found this guide that shows how to make a sort of USB adapter for the TTL reader.  It basically reads the TTL signals from the magstripe reader, and then “types” them into the computer as though it is a keyboard.  If you have a notepad window open it will just dump a long string of 1’s and 0’s into the window.  StripeSnoop has a -i option that takes input from the keyboard so all of this should work together.  I purchased one of the adapter boards along with the magstripe reader. Five days later they both showed up at my door and in about an hour I had everything hooked up on my computer and functioning.  My reader only reads track two, although I cold read track one if I put a small piece of plastic in the bottom of the reader to raise up my cards by exactly one track size.  For now, reading just track two will work fine since my research showed that most cards use that track anyway.

Enter the idea for the magomatic.  I’ve had this idea for a while but it keeps changing slightly in my mind.  I essentially want the ability to read a magstripe card and then emulate it back.  This is different from cloning a magstripe card onto another card.  This is basically “recording” the magstripe data and then “playing” it back as though it is coming from a magstripe card, even though it is not. I first thought that the easiest way to accomplish this goal would be to record the magstripe data as audio, and then play it back out through an amplifier, into an electromagnet.  I had found this instructable where someone did something similar and prooved that it works.  This person would scan in the data, and then put it into a C program.  The c program would encode the binary data into a wav file.  He could then put the wav file on his iPod, play it out through an amplifier and into an electromagnet.  He included a video to proove that the concept works.  This is how I started the project.

I had to proove to myself that his idea worked. I created an electro magnet and downloaded his source code.  I also purchased a small battery powered amplifier from RadioShack that was able to boost an audio signal pretty loud.  I wasn’t able to get the C program to work correctly so I ended up changing some of the code around.  I altered it so I could just paste the raw binary data from my card into an array in the program.  It would then encode that data, rather than converting symbols and letters into binary data and having to generate valid checksums.  After some fiddling with the code and with volume settings I was able to get this working.  I could play the audio file out of my headphone jack, through the amplifier, into the electromagnet, and then into the card reader.  The card reader thought I had swiped my card.  Success.

The next step was figuring out how I could store the data on something portable.  I didn’t want to have to lug around a computer.  My idea was to have a small, handheld device that could read a card and then instantly play it back.  I bought a small picture frame from RadioShack that included a 10 second voice recording module.  It is supposed to be used to store a message along with your photograph.  I had other plans.  I ripped that picture frame appart and pulled out the small recording module.  I removed the microphone and the speaker and just left some wires attached.  To test the module, I hooked my computer’s headphone port up to the microphone wires of the circuit using some aligator clips and a 1/8 inch mono jack.  I pressed the record button on the module and then played the working wav file through the headphones.  I then moved the aligator clips to the speaker wires and plugged the headphone jack into the audio amplifier.  I then had another set of clips going from the amplifier to the electro magnet.  After fiddling with the volumes for recording and playback, I had it working.  I now knew that it was possible to record magstripe audio data onto this module and play it back without losing the data.

The last step was to create my own simplistic reader from a magnetic read head.  I bought an old Walkman from the local Goodwill for $4.  The read head was not difficult to remove.  Unfortunately, I had a terrible time figuring out how to build a mechanism that would line up the read head exactly to track two of the magstripe card and swipe in a nice, straight line.  I tried a few things but everything failed.  I could tell it was picking up data but I never knew what track(s) it was from.  Eventually, after all that work, I had to give up on the audio idea.

It was time to come up with a new plan.  How else could I record the data and play it back though?  I had already been thinking it would be nifty to be able to record the data digitally, rather than via an analog signal.  Having the actual data would allow the possibility of data manipulation.  Why would it be good to manipulate the magstripe data?  One application is in hotels.  Most hotels use magstripe cards as room keys.  What if that data was not encrypted?  What if I could just read the data, see the room number in the data, and then change it to another room number?  I could open any room in the hotel!  I could even put a number pad on the device to allow me to choose what room I wanted to enter.  This is just one interesting application that I thought of.  But how could I accomplish this?

I pretty much instantly thought of using a microcontroller.  I assumed that a Basic Stamp would be too slow to read the magstripe data, and also, Basic Stamps are expensive at around $50 a pop.  My next thought was the use the Parallax SX chip, since it’s the only other microcontroller that I have used and have a programmer for.  To prevent myself from re-inventing the wheel I Googled around to see if anyone else had interfaced a magstripe reader to an SX chip before.  I got lucky and found one article where someone did just that.  He also used the easier to understand SX/B code rather than assembly so it worked rather well for me.

I was going to have to edit the code, though.  He was using a serial LCD for output but I don’t have one of those.  My only real option was to set WATCH’s on the variables that hold the data and then poll for the variables while debugging.  After a few days of fiddling, frustration, code editing, etc I had to give up for a bit.  I was having a terrible time making that code work with my reader.  The author had used a similar, yet different reader and his code just wasn’t working right for me.  At this point I had changed pretty much all of it and simplified it as much as possible and still wasn’t getting anywhere.  I decided to focus my attention on the emulation part of the project.

I figured it would be a waste of time to finally get this reader working, only to find out that I was unable to emulate magstripe data with the SX.  Emulating the data turned out to be a piece of cake.  I created two SX/B functions to output either a one or a zero depending on which function was called.  You essentially have the electromagnet hooked up to two SX pins.  If you want to output a one, you just turn one pin off, and the other on, then after about 1ms you switch them.  For a zero, you turn one pin on and the other off, but after the 1ms delay you leave them in the same position for 1 ms.  You can then “flip the pins” to make the current travel through the electromagnet in the other direction.  I wrote a simple program to output a fake credit card number, including the start sentinal, end sentinal, checksum bits, and the LRC byte.  The extra information was necessary for StripeSnoop to properly decide data.  More information on magstripe protocols can be found at this great resource.

Now it was time to get back to the card reader.  It took another 2-3 days of fiddling before I finally got this part working, but I did.  I was able to store the credit card information in a byte array, and then play it back through an electromagnet into my computer.  StripeSnoop thought I swiped my credit card.  Victory at last!  But I still had to merge the reader function with the emulation function.

Initially, the reader function would specifically wait for the start sentinal character and then collect data in 5 bit intervals.  This is how the typical stripe 2 protocol works.  After thinking about it, though, I realized that hotel systems and other systems might not follow that protocol.  They could very well use their own system.  That’s when it occured to me that for simply replaying the data, I didn’t even have to collect it in such a tedious manner anyway.  That is only benneficial if I want to view the data in a way that I can read it.  Instead, I altered the code to just fill up each byte all the way, instead of only the first 5 bits.  I ended up with two 16-byte arrays.  As you swipe the card, it stores the binary data in each bit of those arrays.  Once the data is stored in the variables you just put the magnet inside the card reader, press a button, and it reads through the variables bit by bit and powers the electromagnet as necessary.  Everything worked as it should.  I now had a working magstripe emulator.

I spent all morning and early afternoon drawing up a schematic, collecting parts, soldering, and troubleshooting.  After a few hours I had a working circuit board.  About 4 hours ago I was able to fit everything into a project box the way I wanted.  I did one last test with everything fitted to make sure it still worked and it worked just fine.  My goal of having a portable, battery operated device capable of cloning magstripe cards is now a reality.  I’m heading to Las Vegas in one week for a short vacation with my family.  I can’t wait to test this thing out.  I’m hoping that the hotel uses track two so I won’t have to try and read tracks one or three and mess with my reader.  I’m also hoping that the keys are encrypted in any way.  This might let me program the SX with my laptop to open other doors.  I’ll post an update once I get back with the results of my experiment.

I’ll also take some photos of the device and post them on the project page.  If I am able to get it to open my hotel room door I’ll definitely post up a video as well.