My apartment building recently switched from coin-op laundry machines to a stored value system using smartcards. The way it works is they have a central dispensing machine that you can use to purchase a card as well as fill up existing cards using a credit card. Each washer/dryer then has a reader interface that will decrement the stored value after starting the machine.
Being the curious type I stuck the card into my smartcard reader to see what chip they were using. A quick google search of the ATR revealed it was a member of the Atmel CryptoMemory family, AT88SC0404C. After pulling the datasheet from Atmel. I began exploring the security mechanisms they had in place.
Before I go any further I should explain that the remaining portion of this article doesn't explain an attack on the Atmel CryptoMemory parts in any way. If that is what you're after I recommend reading Tarnovsky's blog or an attack on the CryptoMemory algorithm here. With that out of the way let's forge on.
After reading through the datasheet I found that this card had a configuration page and 4 user-pages each consisting of 128bytes. I dumped the config using the following APDU.
After spending some time hand parsing the response I came up with this config.
By looking at the above we can pick out a few things. First of all the 0x27 fill is probably a security measure because we haven't authenticated in any way. Secondly, bit 4 of the DCR byte tells us that we only have 4 attempts to verify any of the eight passwords before we're locked out. Also, by looking at AR registers [0,3] we can see that all user pages do not require a password but they do require authentication. Here is another interesting tidbit from the datasheet:
Seems simple enough, verify the write 7 password, program the configuration, then blow a one time programmable fuse to prevent anyone from changing the data. So, let's read the fuse byte!
This is where things start to fall apart. According to the datasheet a fuse byte of 0x27 means only the SEC bit is blown which is done by Atmel during manufacturing to lock the lot code. With the proper write 7 password we can change the configuration (HINT: maybe removing the authentication enable bits from AR bytes?)
Ok, now we just need to guess the write 7 password. The password is 24 bits... That gives us 16,777,216 attempts to brute force it. At 4 attempts per card that will take 4,194,304 cards or 2,097,152 cards on average... There must be an easier way... My next idea was to sniff the traffic between the reader and card to get an idea of what kind of data is being passed back and forth, then after wading through the paper above, implement the algorithm to crack the cipher itself. Then I found this little diddy in the datasheet:
Surely you would think the engineer(s) implementing this weren't negligent enough to leave the default password... you would be wrong.
Now that we can read/write the config page all we have to do is set AR bits 4-7 to disable the password and authentication check then we can dump the user pages. I found a few things by dumping the user pages. Page 0 contains some string constants and doesn't look to be related to the stored value in any way. Page 1 looks to have all the goodies. By dumping the card before and after use I can see the bytes that change. There appears to be a sequence of 36 bytes that differ between dumps starting at 0x5c. There is also a 1 byte counter that increments by 1 as the stored value is decremented. I've yet to decode how the stored value is encoded on the card so I'll leave that as an exercise for the reader.
At this point an attacker could fill up the card and dump the contents. Then after using the card until there is no value left they could restore the dump rather than paying to refill the card. I don't want to promote fraud (or get sued) so I will not provide dumps of the user pages. Below is a proof of concept video to prove how easily it can be done.
I wrote the application below in C# to assist in working with the Atmel CryptoMemory line. Although I've only tested it on a AT88SC0404C it should work with any chipset in the family. The software provides the ability to dump the config to the terminal, read the fuse byte, and backup and restore the entire card including the config and user pages. Be warned! Since the fuse byte is completely unlocked all fields in the config page are writable. Even the ATR! On a few occasions I overwrote the ATR to all zeros accidentally (due to a bug in the application.) This caused the cards to respond with all zero ATRs which broke ISO-7816-3 compliance so they no longer work in my reader. It may be possible to recover them using the synchronous 2-wire serial interface but I haven't tried yet. The software should work with any compatible PC/SC reader.
Web Laundry claims 40,000 installations on there website. I can only assume that there are millions of cards in service with the same configuration. I'm unsure why they would pay ~$1.05/pc (qty 5k) for a part that has moderate security measures but then leave the default password set when you could buy an SLE4442 for $0.39/pc (qty 10k). Furthermore, the cost to change the password is effectively nothing since they are writing the ID (+0x19) bytes when they dispense the card from the machine. I can only imagine it was the marketing department that came up with the slogan on the card: "Unmatched Security and Cutting Edge Technology".
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software is provided free of charge under the creative commons license. If you find this software useful please consider making a secure donation using the link to the right to support future research.
That's a nice piece of work :)ReplyDelete
But tell a newbie one thing, how do you manage to find which chip it was using?
What kind of software do you use to explore the card? ToolSet Pro ???
Keep up the good work.
Out of curiosity, how would one run the software that you had posted yesterday?ReplyDelete
So does the fuse byte "blow" the fuse when set to something, or is it merely an indicator of whether the fuse has been physically blown?ReplyDelete
Don't answer my first post.ReplyDelete
RTFM I know :D
Is this the right APDU command?
80 C0 02 A4 0D Chip Inf | GEMPLUS MPCOS-EMV | Get Info
@mad engineer: Compile, download visual C# Studio Express 2010 <- NOT 2008, it will give errors
@YaBa - Yeah I used Toolset pro to do the initial analysis and proof of concept. After sticking the card in the reader scard toolset pro will show the ATR, 3b b2 11 00 10 80 00 04. Googled that to get the family (Atmel CryptoMem) then pulled the datasheet.ReplyDelete
@haywire - The fuse byte can both be read or written. When writing it (1->0) it will blow and cannot effectively be reversed. I recommend the tarnovsky blog link above. He was able to reset the fuse (0->1) by decapping and using UV light (on another chipset in this family).
@mad - YaBa is right, i used c# vs express 2010.
Can you publish an executable version also?ReplyDelete
This might help some people:ReplyDelete
Given the ATR, it will help to identify the card.
@troll - I won't publish the binary for liability reasons. I'm currently trying to figure out if I can safely publish the source which is why I took it down. This is all new to me :) You shouldn't have any trouble compiling in visual studio express 2010 though.ReplyDelete
Hans Viksler Can i get the source please? thanksReplyDelete
Added the source back by popular demand :)ReplyDelete
You can't just give the candy and then take it back :D lol ;)
/* Look for smartcard reader */ReplyDelete
string readers = iCard.ListReaders();
"Exception was unhandled: SCardEstablishContext error: -2146435043"
If you are going to release the source make sure it compiles as is first.
@markermanx5 - It does compile, that is a run-time error. Is your reader plugged in and PC/SC compatible? Please read the blob above about NO expressed or implied warranties. In other words, no support :) However, if you want to provide better error handling I'd be happy to pick up the changes and re-post?ReplyDelete
Some people never learn...ReplyDelete
U get this for free, and still complain?!?! duh
@Hans, are you familiar with Bus Pirate!? It can read those kind of cards too, among other stuff.
@YaBa - Yeah, I own a bus pirate. I've used it to read the synchronous memory cards like the stored value card from fedex/kinkos. I haven't tried reading this card in sync mode though.ReplyDelete
Also, I found an old card that was originally sent from Web Laundry when they installed it and it was properly locked down with the fuse set to 0x20. Seems like it is just the cards stocked in this machine that aren't properly configured.
@Hans - I need your help, i've spent the last 2 hours looking for the technical specs of Gemplus GemClub Memo card.ReplyDelete
I just know a few APDU commands. I would like to learn more about this type of card.
Any help would be great.
(Note: The card is in user mode, I don't know how to auth)
I'm considering in buying a season 2 interface to study, but some PDF would really be great.
Thanks in advance.
I'm getting an odd error.ReplyDelete
I've got a computer with a "Broadcom Corp Contacted SmartCard reader". I can read the config. When I try to backup, I get "SCardTransmit error: -2146435025".
@YaBa - http://jwamicha.files.wordpress.com/2010/09/gemclubmemo.pdfReplyDelete
Hope this helps! Have you found a nice season 2 interface? I was looking for one some time back but couldn't find what I wanted. Ideally I'd like a board with a passthrough to a card slot with a pic micro attached to the CLK RST DAT lines to sniff traffic as well as drive the lines (if there is no card inserted). From what I've seen it sounds like I'll need to roll my own...
@dividebyzerowned - Step through each APDU sent using visual studio express. By looking at the return code from the card you can get a good idea of what might be failing.ReplyDelete
@Hans: Thanks a lot, but, I insisted on Google, and found a DocStoc version. And then, asked on that blog about the file, the author posted it today. But hey, I really apreciate your help and work.ReplyDelete
Regarding Season 2, i'm still looking around in sat foruns and shops (electronicasuiza.com might help).
However... my "tests" card is now almost dead, i've locked CSC0, CSC1 and CSC2 :| :| :|
Can read it, but nothing else.
Can it be unlocked with some mumbo jumbo magic code? or is it trashed forever?
The controller for the card reader I'm using is actually integrated into this computer's TPM; apparently it's not fully PC/SC compliant.
Reading the config is fine, but the data pages are 128-byte strings of null bytes.
My card has all four fuses blown (security byte 0x20). Wondering if you could help me understand the authentication process and how does one compute the challenge and get a good verify crypto command going? If it isn't possible and its just a fancy name for a password please tell me... I've been trying to understand ATMEL's idea of authentication, but cannot seem to get a good grasp on it.ReplyDelete
Thanks in advance!
This comment has been removed by the author.ReplyDelete
So i have the problem of always getting SW=6E00 (command class is not supported). I get it with your application as well as my c# ports of SMACADU and my APDU scanner. Now matter what value I use for the class I always get the same SW=6E00 response. Have any of you ran into this problem or any ideas on something I may be over looking?ReplyDelete
The fill byte (for bytes not allowed to be accessed) equals the fuse byte. So as soon as you see a $27 as the fill byte, you know your fuse is good to go. ;)ReplyDelete
Well I have a problem. When I use gscriptor default password is working fine. But when I use your program it gives me "Access Denied" Ans Fuse shows "20"ReplyDelete
If somebody has a working HexDump of Web laundry card could you send it to kolob at ukr.netReplyDelete
Thanks a lot
My card looks same as yours but ATR revealed it's a Gemplus GemClub Memo.ReplyDelete
I compile your app but it won't select the card; has an error Failed to get ATR: SW=6D00. I read the PDF specs on my card, but it's like Greek to me. I even got the ToolSet pro demo. Am I supposed to do a scan to get the hex values? Kinda hard with a demo version. I'm trying to see if they left the default password and fuse unblown like yours.
And then would I modify your AtmelCryptoMem.cs file for my card?
I'm so lost... yet I feel I'm walking down the right path. It would probably help if I had basic knowledge of smart card technology.
Hey, just curious. Did you ever find a solution to this? I have the same type of card and am trying to see if I can accomplish this.Delete
what is the program you used?ReplyDelete
Why don't you blow only the FAB and CMA fuses so you won't overwrite the ATR and FAB configuration?
Thanks for this article
I am getting this error..ReplyDelete
SCardConnect error: -2146434970
When I compile and try to install, it keeps throwing errors on Windows. It compiles fine without errors, and installs fine as well, but will not run for the life of me. I've tried on Windows 7 64 and XP 32 with no luck. Using Visual C# 2010. If anyone is willing to share the executable please contact me runfrugal at gmail.comReplyDelete
phoenix smartcard readers
@Hans, awesome work on this and thanks for the utility.ReplyDelete
Like a few others, I have multiple cards and they all have a fuse state of 0x20 (totally blown).
I've found a company where I can buy a few SCs with the exact same chipset and I'm wondering what your thoughts are on finding a dump of a card and loading it onto one of these empty cards. Do you see any problems with this working? The idea is to build-a-card that I can start playing around with.
If so and you're not too busy, would you mind sending me one of your dumps?
Thanks for your time!
Has anyone been able to get this software to work with a fuse of 20?ReplyDelete
I'm getting an 'Access denied'.
kevincfunk at gmail
@Kevin, after sending that message a few months back I messed around with it but never got anywhere.ReplyDelete
Lately I've been trying to find / buy someone's older card with the unblown fuse (all the new ones at my complex are blown).
If you make any headway hit me up-- I think we're in the same boat.
knksmith57 [at] gmail
It compiles with success only on winxp 32 bits visual C# express 2010 and the compile version works in all platforms .ReplyDelete
The question is : how you have to deal with the non-iso compliant C8 pin ?
could readd the compiled exe againReplyDelete
This comment has been removed by the author.ReplyDelete
This comment has been removed by the author.ReplyDelete
i think i see the problem that im facing. i see that the program uses GEMCARD info. i have been using a normal iso programmer 3.68 i guess that will not work and i need to get a programmer like the ones in the video ?ReplyDelete
Thanks for sharing this article. you can also refer Laundry Machine Manufacturers In HyderabadReplyDelete
Excellent post! I must thank you for this informative read. I hope you will post again soon.Laundry Machine Manufacturers In HyderabadReplyDelete
I just tried but my write7 password is not the default do any know of a way to pick the password up.
I have enjoyed reading your articles because this is blog which there is the description about security.ReplyDelete
Car Removal | Scrap My Car | Get Cash for Junk Cars
marc jacobs bagsReplyDelete
nike outlet store
under armour sale
north face jackets
columbia sportswear outlet
michael kors cheap
the north face jackets
nike air jordan shoes
abercrombie and fitch outlet
new balance outlet
north face rain jackets
red sole shoes christian louboutin
ralph lauren polo shirts
cheap michael kors handbags
kate spade sale
christian louboutin shoes
abercrombie & fitch
ray ban sunglasses outlet
salvatore ferragamo belt
lebron james basketball shoes
cheap converse shoes
hermes outlet online
cheap coach purses
coach handbags online outlet
the north face sale
cheap michael kors
north face coats for women
canada goose coats
womens north face jackets sale
jordan retro 11
cheap gucci beltsReplyDelete
coach factory outlet
hollister outlet store
rolex watches prices
nike outlet store
cheap nike shoes
canada goose sale online
michael kors outlet online sale
north face outlet
vans shoes sale
rolex watches for men
michael kors handbags clearance 75% off
michael kors outlet
air jordan 13
fitflop sandals for women
cheap nfl jerseys
michael kors handbags
coach diaper bag
nike factory store
canada goose discount
jordan retro 6
cheap nike air max
cheap nike air max
coach handbags outlet
air jordan 6
christian louboutin shoes
Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks.ReplyDelete
Very inspirational to hear about someone pursuing their dream and becoming successful instead of following the traditional path.ReplyDelete
It proved to be Very helpful to me and I am sure to all the commentators here!ReplyDelete
Rancho Cucamonga dry cleaners found at Chaffey Cleaners
We are the honored guests who visit blog locales like yours is extraordinary, thanks a lot.This is One of the best posts. This gives a great deal of data uniquely those heading for informist Thanks for sharing this post.ReplyDelete
I think mimicking popular posts on other blogs is one of the best ways to get a good idea which will be popular.Such a lovely blog you have shared here with us. Really nice. My security services 1300 788 828 is security monitoring company that provides cheap venue security, business security, Alarm systems, event security, building construction site security, crowd control services and helps to hire friendly personal security officer, security technician, private bodyguard in Sydney, Brisbane, Canberra and The Gold Coast Australia.ReplyDelete
Thanks for the valuable feedback. I think that strategy is sound and can be easily replicable.Great posts. I love this article.ReplyDelete
Visit - White card
Awesome blog post nice quality . Best VPN A good VPN provider will offer servers in a large range of different countries.ReplyDelete
Such a lovely blog you have shared here with us. Good line, nice image this post and will be effectively. Thanks for sharing.ReplyDelete
Outdoor security cameras
hello the application keeps giving me an error:ReplyDelete
Connected to Dell Smart Card Reader Keyboard 0
Failed to get ATR: SW=6D00
I have 3 Miele self service laundry where clients pay for the service, using SLE4442 cards.
Miele sells those cards, but in a very high price.
I’ve already tried cards with the same SLE4442 chip but the payments machine doesn’t accept them because the only ones that work are the ones sold by Miele… I read and read and read and find out the ATR code for the cards that work. My question is if it is possible having the machine recognition codes do "format" blank cards that can be used on the machine
Very informative and well written post! Quite interesting and nice topic selected for the post.ReplyDelete
Also checkout Security services Melbourne
Thanks for the great post. Does anyone have a working executable? After I build and compile the source I am always getting an error. atticusasher at gmail
Welcome to Express Laundry Kenya. We are the best and professional laundry services in Kenya. Learn How TLaundry services in Kenyao Use Self Service Laundry. It involves simple steps for you to enjoy a hassle-free experience to clean your clothing. You will love the freshly clean and soft feel of your clothes cleaned by Express Laundry Services.Express laundryReplyDelete
For anyone looking for a compiled binary, here it is: https://file.globalupload.io/vDNL2HXUNk.zipReplyDelete
I compiled it without installing Visual Studio by following https://stackoverflow.com/questions/18286855/how-can-i-compile-and-run-c-sharp-program-without-using-visual-studio#
Seems like the write 7 password for my card was changed from the default 605734. Anyone have an idea how to brute force the password?
Do you still have this?Delete
Thanks for infoReplyDelete
for more info please visit here:-
Best Dry cleaning service in Sector 47
Laundry services in sector 47 Gurgaon
Door step Laundry Service in sector 47 Gurgaon
You can make your business hit only if you prove to provide the best of services that can keep your clients comfortable and satisfied. We Provide the best on demand courier delivery app development with courier delivery app script. Just contact us and we will help you walk through it all.ReplyDelete
Yescards New Generation 2020 à vendre :ReplyDelete
* Classic Test - 50 EURO -> Plafond 5000 EURO; retrait journalier de 500EURO, valable 28 jours, + 50EURO, TTC = 100EURO
* Visa classique - 150 EURO -> Plafond 12000 EURO; retrait journalier de 900EURO, valable 2 mois + 50EURO, TTC = 200EURO
* Mastercard Classic 200 EURO -> Plafond 15000 EURO; retrait journalier de 1200 EURO, valable 2 mois + 50EURO, TTC = 250EURO
* Gold VISA - 300 EURO -> Plafond 25000 EURO; retrait journalier de 1500 EURO, valable 3 mois + 50EURO, TTC = 350EURO
* Gold Mastercard- 350 EURO -> Plafond 32500 EURO; retrait journalier de 1800 EURO, valable 3 mois + 50EURO, TTC = 400EURO
* Visa Platinum - 400 EURO -> Plafond 48000 EUR; retrait journalier de 2000 EURO, valable 4 mois + 50 EURO, TTC = 450 EURO
* Platinum Mastercard - 450 EURO -> Plafond 62000 EURO; retrait journalier de 2500 EURO, validité 4 mois + 50EURO, TTC = 500EURO
* Visa Infinity - 600 EURO -> Plafond 75000 EURO; retrait journalier de 3000 EURO , validité de 6 mois + 50EURO, TTC = 650EURO
Nous acceptons :
Contact : email@example.com
There's a good deal of variety in every casino, and you can usually find something which will attract every gambler. To know more about online gaming, browse this site.ReplyDelete
i am browsing this website dailly , and get nice facts from here all the time .ReplyDelete
The fire watch security guard must be knowledgeable in basic fire safety laws and practices and must have adequate training and experience with fire safety equipment. To learn more about fire watch services, visit on hyperlinked site.ReplyDelete
Fire watch service is necessary for every workplace to ensure safe working conditions. Fire Watch Services is a great asset to the organization. To get more info about fire watch services, visit this hyperlink site.ReplyDelete
Commercial Fire Watch provides patrol for business properties that are located in schools, residential communities, and office buildings. You are curious to know more about fire watch security guards, discover here.ReplyDelete
Fire Watch Guards is generally tasked as a primary response force in case of an emergency. These guards are used as a temporary setup where the guard is tasked to patrol and inspect the entire property for potential or existing fire hazards (real fires). Get more details about fire alarm system on this link.ReplyDelete
The financial advisory industry is also home to many different specialties, including asset allocation, individual investment management, pension and retirement, and real estate finance. There are also alternative education programs that can help individuals learn about personal finance, investments, estate planning, and asset allocation. If you are curious to know more about business operations, here you can get more information about it.ReplyDelete
Plus, you don't need to worry about having to learn complex computer code in order to operate your ecommerce businesses. Another important consideration when planning how to start a small business at home is networking. Get more interesting details about how to start a small business check out this site.ReplyDelete
you will need support or suggestions, write me privately.ReplyDelete
I interested in your implementation/use case.
the best kera4d