Open Source Magnetic Stripe Tool (OSMST)
Copyright 2010 NOP Security
The OSMST is a tool designed to allow security analysts the ability to inexpensively test magnetic stripes and the readers associated with them. It also allows pentesters the ability to do certain tests without having a computer. It is all Open Source so it also works well as an educational project for anyone who is interested in magnetic stripe technology. Using the schematics and source, it allows one to make a reader, writer and generic test tool that surpasses most commercial products in many ways.
The board PDFs, firmware and construction specifications are included to make it easy to construct. Instructions on the full constrction are included and are designed to make the device easy to assemble from parts that you probably already have if you do any electronics work already. The device was designed with being a project in mind, as such it uses things that should be easy to acquire if you don't already have them. It uses single layer through-hole circuitry, so anyone with a laser printer, some gloss paper, some copper clad board, etching solution and a drill with a small bit should be able to make it easily. With the schematic, it can easily be converted to double sided PCB with SMD components to make it more compact, if you have everything needed to do it. A PC is not required for operation, but is required for the initial programming of the AVR ATTiny861 processor using the onboard standard 6 pin ISP header.
The PC-HID-OSMST interface software is supplied in Visual C for Windows users and GCC for Linux users if you choose to control it from the PC. The device uses the standard HID driver for communication, so it can be used on any system that supports HID devices. The full command set is included in the source of the programs. You can apply this interface to use the device in several different ways, depending on what you want to do with it. You can even omit most of the output hardware and use it as a stand-alone stripe reader connected to a computer to tie it into any program that you write, if you feel inclined to do so.
Reads tracks 1-3 from many possible different read heads types
Stores up to 4 tracks
Emulates or plays track data to emulator or speaker
Writes tracks 1-3 on almost any read or write head that is wide enough to write a track and then verifies if the data is correct on subsequent read
Erases tracks or other magentic media with high frequency output
Emulates random fuzzing data with 4 modes - it tries random data of random lengths (Sometimes above max track length) in 6 and 4 bit code types
Can operate off of battery power, USB power, or both
Operates stand alone from device memory, or controlled from a computer via USB
Can output track data directly as an HID keyboard, or via an HID custom data device which requires no special drivers for control or input/output (Using a dual top level collection)
Continuous operation current draw is about 12-13mA, but can draw variable current over 0.5A or 2A depending on output transistors selected
Automatically enters sleep when idle: Only 2-3mA current draw when in sleep mode with specced parts for voltage regulation of processor supply
Can run off of supply voltage between 4.5v to over 25v: ideal voltage is 7.2v-12v
Almost all parts are inexpensive and easy to acquire
Takes time to craft it and salvage parts if you can't find them for purchase (or don't want to purchase them)
Can sometimes be difficult to tune it initially for new input/output hardware
Only one track at a time
Only reads, writes and emulates in one direction
There are 8 states of operation, one of which is only for altering the run configuration. There are 3 buttons for device control and 4 LEDs for status display. The buttons are defined as 1:Start, 2:Mode and 3:EESwap. The 8 modes are defined as 1:Scan/Store, 2:Emulate/Speaker, 3:LoCo Write, 4:HiCo Write, 5:LoCo Erase, 6:HiCo Erase, 7:Fuzzer Emulate, 8:Fuzzer Mode Switch. The LEDs are Status, Emulate, LoCo and HiCo. There are 4 storage locations for card stripes (up to 110 characters each) in EEPROM, as well as locations for configuration storage. The onboard RAM also stores one active memory storage location that is overwritten by EEPROM loading, card reading/writing and fuzzing.
Each button has slightly different functions, depending on the current mode. In all modes, 2 minutes of idle time will cause the OSMST to go into power-saving mode which powers down most of the circuitry and processor to save energy. Pressing any button will wake the device up again.
Mode 1: Scan/Store
In this mode, when not connected to a computer, every time you scan a stripe, it verifies that it has read the stripe properly then stores it to one of the 4 EEPROM locations and swaps to the next storage location. Hitting the EESwap button will swap to the next EEPROM location without reading anything in. The Status LED will blink one to four times to let you know what the current storage location is. The status LED will stay lit when there is card data in the active memory.
If you hit the start button in this mode, it toggles to output mode, which extends the idle time before sleeping to 20 minutes and then outputs anything in the current memory buffer to the keyboard HID device, if connected to a computer. Any new stripes read into memory are automatically output to the keyboard device instead of storing. Writing track data the the active memory over HID will output it to the keyboard device. Hitting EESwap will load the next EEPROM location to active memory and then immediately output. This is an easy way to display what is currently loaded.
The threshold of the scanning (input) reader needs to be set before it will function effectively. The input differential amplifier will take the small power fluctuations of the read head and amplify them, generating a waveform that is large enough for the processor to decode. The second amp in the chain will determine the threshold for the input waveform and transform it into a nice square wave. Once this is centered on the input waveform, the input waveforms should have similar pulse widths in each direction which will allow easy decoding of the biphase encoded data. This also makes it so you can adjust the input to different read heads.
In order to set it to read, first find the upper and lower bounds of the waveform by turning the tuning pot all the way one direction. Then read cards and turn it up until the reader LED starts flickering on each swipe. Then repeat on the opposite side till the same situation occurs and split the difference. Your waveform center should be near the center of those two points on the trimmer or dial. High electrical interference in the area, or wires to the read head that are touching unshielded devices can adversely affect the read quality. The head and wires are susceptable to electrical interference, but most read heads should output enough power over the noise level that it's not a problem. You can adjust the read threshold within the waveform bounds to compensate if your input picks up noise or flashes when you touch it or get close to interference sources like some types of fluorescent lights. When it is set properly and the read head has even, smooth contact, it should read and store smoothly every time.
Keep in mind there are bounds on the read speed too - if you swipe the card too fast for a high bitrate track (track 1&3: 210 bpi) you risk losing bits, which will cause the data to desync enough to cause parity errors. Parity errors will cause the whole track to be invalid in this version of the device. If you read too slowly, the input amplifier will not be able to pick up the changes in magnitic field strength (power input is related to the rate of field change) or the processor will lose sync with the next biphase edge. You will get familiar with the right speed to swipe. Track 2 (low bit density: 75 bpi) can normally be read very fast - usually as fast as you can swipe it.
Mode 2: Emulate/Play
When in Emulation/Playback mode, the output circuit is energized. This also illuminates the Emulate LED to show the circuit is active and to display the current mode. Hitting the start button in this mode will drive the output circuit to produce a waveform based off of the card data stored in active memory. It will briefly turn the LED off while writing to indicate the writing time visually as well, so you can see the activity when not connected to a playback device.
Scanning cards in this mode will store them to active memory, but will not write them to EEPROM, nor the keyboard output driver. This mode is useful if you want to scan something in temporarily, or scan something in while in output mode without actually writing it out.
You can also load data to active memory over the USB HID connection, without it outputting the data to the keyboard. This allows writing test data to the memory for simulation and testing of a magnetic reading device by uploading track data, then emulating it to the device under test.
The Emulation mode has it's own current limit setting on the output circuit that allows adjusting the power level so you don't kill the output transistors or shut the circuit down from drawing too much current off of a battery that cannot supply enough. Normal 9v batteries have a high enough internal resistance that they normally cannot drive high-current emulators without being limited.
For audio output devices, or audio recording devices, you can adjust the current threshold so the audio waveform sounds good on playback of the recodring device. It should be able to automatically find a balance with high input impedance devices. This allows you to encode several of your favorite waveforms to any recording device - or for delivery to a remote tester - which can be played back on a standard audio player using an emulator instead of a speaker.
Mode 3: LoCo Write and Mode 4: HiCo Write
These modes energize the output, each with the adjustable output current limiter. It will automatically load any card data from the current EEPROM slot into active memory for verification and writing. If you scan new cards in this mode, they will be checked against EEPROM and will flash the status LED to show if there is a match or failure. Card read errors will only flicker briefly. If the scanned card matches, the status LED will blink slowly several times. On a mismatch it will flicker fast repeatedly.
Hitting the start button the first time in this mode will begin the velocity encoder training. The status LED will blink repeatedly while it waits for you to slide a card through the writer. When you do this, it records the number of clicks on the velocity encoder and stores that number as a way to associate the card travel rate. This way the writer can adjust for minor speed variations while writing. The total click count of a normal card is stored and associated with the total travel of a 3.5" card.
Once it is trained, hitting the start button will set the card up to begin writing once it detects movement on the encoder. Keep in mind that the writer can only adjust the speed a certain amount to compensate between each click so try to maintain a constant speed. It is not necessary to move the card very fast or very slowly to write tracks. An even constant speed will work perfectly, as long as the power is set correctly. While a speaker is plugged in to the output jack, or switched to, if you implemented a switch, you can perform a write to hear the speed adjustment. The human ear is great for telling quality of stripe output. A nice smooth write track is what is desired, once you get used to the speed needed for the write, it is easy to write cards reliably. It is best to erase the card before writing so you can ensure proper waveform storage. See mode 5 and 6 for erasing functions.
The output power for each stripe style needs to be adjusted manually for your specific write head using the designated current limiter. If the power is too low, the magnetic stripe will not be strong enough to reorient all the magnetic domains in that bit space on the stripe. If the power is too high, the previously written bits will be affected by the magnetic field of the current bit and will essentially "blur" what should be sharp edges of the stripe's magnetic moment for the previous trasition. For biphase encoding, this reduces the ability to differentiate 1 bits (which half the wavelength of a 0 bit) as you are essentially erasing the smaller preceeding waveform. Keep in mind that having a gap between the write head and the media can produce the same "blurring" effect as overpowering the stripe. The magnetic field will spread out if there is an air gap, which causes a similar distortion and no end to the frustration of trying to write stripes - so make sure how ever it's assembled has full, even contact.
After writing the card, rescanning it through the read head will verify the write. The data read circuit flickers the light on buffer modification, which you can see on normal card reads. For an erased card, there should be no change in LED status on normal read, or on verification. For a properly written card, it should verify correctly as stated above. When determining power levels, start by writing at the lowest power possible, and turn up until you can write the card and the read light flickers slightly when you read it back in. Slightly above that should be your minimum for proper card writing. You will want to turn it up past that until cards that are written will begin failing then back down just a little bit - this will ensure the maximum power without distortion to the track. It also aids in keeping the erasing power high enough.
The HiCo and LoCo modes each use a different current adjustments, each using it's own variable resistor attached to the same line as the LED supply to control the current limiter. This allows you to adjust the power for each separately without having to dial in a new selection each time you use a different card.
Mode 5: LoCo Erase and Mode 6: HiCo Erase
Each of these two modes drives the output circuit using an (approximately) 10khz square wave at the specific current of each of the different modes. Running a card underneath it will level out the magnetic domains, like a degausser. When you hit the start button quickly, the processor will begin driving the output circuit and will only stop when you hold it down and release. Holding the button down will start output until you release the button. Once the erasing is finished, it will automatically switch the mode back to the respective write mode so you can write the newly erased card. Make sure to swipe the card slowly, depending on the write head, it can leave a minute ripple behind if you drag it too fast.
Ideally this would be a low impedance tuned resonant circuit that would output a high amplitude signal at a much higher frequency. Implementing this becomes difficult when creating a circuit where the head is an unknown inductance and is tied into the standard write circuit that is intended to be used for several different features. As a result of the unknown inductance of your specific device, the output power of the high frequency erase may be attenuated compared to the write power of a normal card write at the same current level - if you cannot seem to fully erase a card at the same levels that you write cards with, reduce the erase frequency and slide the card a little slower during the erase. Or increase the output power to smooth the moments a little more on the trailing edge.
Since some HiCo cards vary in coercivity, you may need to erase some cards at a slightly higher than normal power to clear off completely. Setting the power up to the highest output power that writes any HiCo card consistently usually works for an acceptable level for clearing all HiCo cards, but I have run across that are extra stubborn and required turning up even higher to clear. They would write just fine at the normal HiCo power, and could actually accept even higher power for writing than the majority of cards, but I have not run across a lot of those.
Mode 7: Fuzzer Emulate and Mode 8: Fuzzer Mode Switch
Mode 7 acts similar to emulation mode, except that every time the start button is pressed, it loads random data to the active memory before output. The data length is random, from 1 character to the max active mem of 110 characters - how the data is formatted depends on the Fuzzer Mode. This allows the tester to hold the emulator in place and try a different random code each time to test a device or client's access controls. The EESwap button in this mode will directly store the current memory to the active EEPROM slot and then select the next slot. This way, you can randomly test different options and then save them for sending to the access control developer later by computer download, writing to a blank card or writing to a recording device.
Mode 8 is tied in with mode 7. There are currently 4 Fuzzing modes. 6 bit (track 1) and 4 bit (track 2&3) modes, each with and without inclusion of the end sentinel character. Fuzzers are 1) 6 Bit with end sentinel, 2) 4 Bit with end sentinel, 6 Bit without end sentinel, 2) 4 Bit without end sentinel. Hitting the start button while in this mode will switch to the next mode, blink the status LED to display the newly selected mode number then switch back to mode 7.
The reason for this fuzzing mode separation is that there are two formats for characters, so there needs to be a mode for each. And for each, some readers will automatically terminate on the discovery of the end sentinel, whereas some will allow it as a valid character until the last one that is followed by the termination sync. Having these 4 modes allow the output of at least one type of waveform that should trigger a response in most devices. Some readers that read cards in the opposite direction only will terminate on the discovery of an extra start sentinel instead, but the current writer does not output in that order, so in that case, the card needs to be written manually to test.