[Noisebridge-discuss] Snooping RS-232C/Serial Data
Jacob Appelbaum
jacob at appelbaum.net
Wed Aug 19 01:40:06 UTC 2009
Jonathan Lassoff wrote:
> I've recently purchased an MSR-206 clone (MSRW-206 -- far to similar of
> a name if you ask me), however despite coming with documentation that
> appears to be nearly a word-for-word copy out of the MSR-206
> programmer's reference, some of the commands don't appear to operate as
> documented.
Got a photo of the device?
>
> Namely, the three-track raw read command doesn't work as expected :(
What do you expect to see? What do you get? Is it consistent? It would
be helpful to know what kind of card you're analyzing. It would also be
helpful if you could state some of your assumptions? Do you have a
visual inspection of the stripe with a ferrofluid viewer?
I hacked up a document about magnetic stripes analysis as a sort of
quick start guide. I suggest you read it:
http://code.google.com/p/libmsr/source/browse/trunk/README.magnetic-introduction
>
> Thankfully, it did come with an example Windows application that does
> seem to know how to talk at the box, and it's working fine. At this
> point, I'm interested in figuring out how to trace the commands that are
> being sent/received to the unit.
>
Sniffing serial commands is trivial. You can even use recent builds of
Wireshark to do it on supported platforms. If you're not interested in
Wireshark, I found it rather pleasant to sniff the serial bus by hitting
a file in proc. It's quick and easy. Most modern Linux 2.6 kernels
support it.
> So I'm stuck trying to figure out a way to get a dump of the bytes going
> out to a serial device. I'm running the Windows environment in a VM that
> passes access to my USB->Serial dongle into Windows.
Do not despair. You probably don't need to sniff the serial device. The
MSR-206 is fully specified.
Here's the MSR-206 specification:
http://code.google.com/p/libmsr/downloads/detail?name=MSR206%20Programmer%27s%20Manual.pdf&can=2&q=#makechanges
Here's the project that Bill and I have been working on to write a
common library for the most common magnetic stripe devices:
http://code.google.com/p/libmsr/
You should be able to drive the device with the utilities in trunk. Get
a copy of the code like so:
svn checkout http://libmsr.googlecode.com/svn/trunk/ libmsr-read-only
>
> Has anyone found a good way to do this in the past? Surely it can be
> done in software somehow. Failing that, I suppose it might be possible
> to trace the hardware signalling.
>
Yes.
Bill and I recently wanted to reverse engineer the MAKStripe. We spent
_a lot_ of time looking at USB/serial dumps. It was mildly interesting
at first and became less interesting as time went on.
Here's the specification that I wrote up based on our observations while
at HAR:
http://code.google.com/p/libmsr/wiki/MAKStripeSpecification
http://code.google.com/p/libmsr/source/browse/trunk/MAKStripe.specification
This resulted in a quick cloner for the MAKStripe:
http://code.google.com/p/libmsr/source/browse/trunk/utils/makstripe-quick-clone.c
Here's a quick writeup on the way that Bill and I got started with the
MAKStripe:
http://code.google.com/p/libmsr/source/browse/trunk/README.MAKStripe
Here's a directory full of sample USB dumps:
http://code.google.com/p/libmsr/source/browse/#svn/trunk/usb-sniffing
Additionally, we've got a full MSR-206 user space driver like thing in
libmsr. You'll probably want to hack up something from a program in
utils/ if you're in a hurry. libmsr also supports other generic models
that are very similar to the MSR-206:
http://code.google.com/p/libmsr/wiki/HardwareComparisionChart
Thanks to Joseph and Mike of 2600, I'm currently working on adding audio
input support to libmsr:
http://code.google.com/p/libmsr/source/browse/trunk/dmsb.c
http://code.google.com/p/libmsr/source/browse/trunk/dab.c
Eventually, you'll be able to record to a common format regardless of
the reading device. If all goes well, you'll be able to write any such
file to any supported writing device too.
If you send me the firmware version and run some of our test utilities
on the device, I can probably quickly add support if it doesn't work out
of the box...
Best,
Jake
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20090819/da594543/attachment-0003.sig>
More information about the Noisebridge-discuss
mailing list