ChoJin’s Quarter

Hello,

I think it’s time I go back to basics and post something a little bit technical on this blog, which was the original intent of this blog anyway, should I remind everyone .

So we’re going to talk about magnetic cards. We all have at least half a dozen of them, if not more, and although this technology is probably as old as the dinosaurs, for most people, how to read, how to write and what those cards contain still remain a mystery.

Pretty much everything has already been written about magnetic stripes, I will therefore focus this article on a well-used photocopier card, which has the interesting feature of using a non-standard protocol to prevent from tempering and counterfeiting.

Disclaimer

Let’s be clear right from the beginning.

I won’t give away the brand of this photocopier card, nor will I disclose the hardware used to properly read or make such cards (so don’t bother asking). I’m only writing this article because I feel there is a lack of information about non-standard magstripe and copy/tempering protection schemes in this (magnetic ) field. This article is not about breaking the law, it’s about knowledge and inner curiosity. I strongly urge you to avoid ending up in jail just because you wanted to save a few cents from a photocopier machine…

I warned you, and I will not be held responsible for your actions, should you decide to use this knowledge badly.

After this over-dramatic disclaimer, let’s move on with the real article

Introduction

I won’t go into the details about all the existing standards and so on. I’d suggest you read the very well known Count Zero’s Card-O-Rama article from Phrack magazine about this subject matter. I will only write a quick summary about the standard modulation technique used on magstripes and then move on to talk about our photocopier card.

Generalities

Ok so, to make things simple, you can see a magnetic stripe as a sequence of tiny North and South oriented magnetics. When read through a solenoid, the induced current created by a given sequence of North and South polarities generates a square analog signal (yes, it’s not that simple in reality, but it’s good enough for our purpose).

As we will se through an example later, this square signal is then interpreted as a sequence of binary data (0 and 1) given the modulation scheme used. At this point, bits are usually grouped as chunk of 5 (BCD encoding) or 7 (ALPHA encoding) bit and interpreted using simple look-up tables.

As an example here is the BCD encoding table we’ll be using later on:

Data Bits				Parity
b1	b2	b3	b4	b5	Character	Function
0	0	0	0	1	0 (0h)	Data
1	0	0	0	0	1 (1h)	“
0	1	0	0	0	2 (2h)	“
1	1	0	0	1	3 (3h)	“
0	0	1	0	0	4 (4h)	“
1	0	1	0	1	5 (5h)	“
0	1	1	0	1	6 (6h)	“
1	1	1	0	0	7 (7h)	“
0	0	0	1	0	8 (8h)	“
1	0	0	1	1	9 (9h)	“
0	1	0	1	1	: (Ah)	Control
1	1	0	1	0	; (Bh)	Start Sentinel
0	0	1	1	1	< (Ch)	Control
1	0	1	1	0	= (Dh)	Field Separator
0	1	1	1	0	> (Eh)	Control
1	1	1	1	1	? (Fh)	End Sentinel

Aiken Biphase Modulation

Now let’s focus on how the square analog signal is converted to a sequence of binary data. On standard cards, the scheme used is called Aiken Biphase Modulation, or BMC encoding or often F2F (frequency/double frequency) as well.

In this simple encoding scheme, bit “1″ are encoded using twice the frequency than bit “0″. A picture is worth thousand words:

As said earlier, let’s take a simple example, a sequence of 5 bit, and let’s see how we can visually decode it step by step (assuming the encoding scheme is indeed F2F).

To ease the understanding of the encoding, and emphasize how “0″ and “1″ are encoded using frequency variations, we’re going to highlight each bit separately.
The first bit (b1):

As you can see, a bit begins with a phase shift, no matter what the original phase is, and since we are here encoding a bit “1″, the phase shifts again in the middle of the clock cycle.
The 2nd bit (b2) is quite the same since we are encoding a bit “1″ again:

A phase shift to begin the bit, and another one in the middle of the clock cycle. With the 3rd bit (b3), you should begin to understand the process. We are here encoding a bit “0″:

Again, the bit begins with a phase shift, but since we are encoding a bit “0″, we don’t shift the phase again during the clock cycle. That’s basically how we know, and the reader knows, the bit should be interpreted as a “0″ and not a “1″.
The 4th bit (b4) is a “1″ again:

And finally the 5th bit (b5), a “0″:

As you see it’s fairly easy to understand, but you have to pay attention to when a bit begins and ends. This will become very important when we’ll analyze the non-standard encoding scheme used by our photocopier card.

You may wonder how the decoder knows how long is a “clock cycle”, its time base. The answer is easy : we usually have a very long sequence of a constant square signal at the beginning of the magnetic stripe, interpreted as “0″s, and which therefore gives the decoder a time reference for further decoding.

Since we’re on our way to decode this signal, we could now go all the way. Assuming the card is using a BCD (5bit chunks) encoding scheme, and using the look-up table given earlier, this give us:

“11010″ decodes as the char “;”, which is for standard magnetic stripe cards, what we call a “start sentinel”, i.e. a char which announces the beginning of the real data. As you can also see in the look-up table, only the first 4 bits are really used, the 5th one is a parity bit. This means the 5th bit is set such as we always have an odd number of bit “1″ in a char. This is used as a consistency check in standard encoding schemes, to double-check whether or not the decoding is corrupted.

Exercise to the reader

To conclude with this common standard encoding, and as an small exercise, you could try to decode this signal (assuming a F2F analog encoding scheme, and a BCD digital encoding scheme):

End of part one. The next part will finally focus on our mysterious photocopier card.
Stay Tuned!