Reading the firmware of a payphone card

The connection of cards to the computer for reading and writing is mainly done via the LPT port.

We collect the scheme of the reading room. (For 8-pin).

OR on the table (for 6-pin).

Power is supplied through the pulse diodes (anodes to the port) with 6-9 LPT contacts, you can also take it from the first GamePort pin (port for the joystick) or from the keyboard.

Work with software

Download 24 kb

So when everything is connected you can start working with the software. If everything is connected correctly, the following will appear on the screen:

If all the data in HEX codes have the value "FF" or in the 16-number system "11111111", then something is wrongly connected, or badly confounds. On this sitayu his task filled, the case for you dare! This program is not only a simple Reader, it still can remove units from the card ...

  2. The physical ISO standard
The figure shows the numbering of chip card contacts

  What is written on the cards? (For St. Petersburg cards)

   Assigning each bit written on the card.

The card uses only 16 bytes. All others are 0xFF.

Examples of memory cards

This card for 50 units is over. Number 0050415503.

Ready until 30.09.98

E9, 30, FF, 01, F1, E2, 80, C0

00, 00, 00, 00, 00, FF, 18, EA

This 400-unit card is also empty. No. 0400155921.

Ready until 30.09.98

E9, 30, FF, 01, 88, A7, 9B, E8

00, 00, 00, 00, 00, FF, D9, 79

Here is a map of 1000 units. There are 998. Number 1000013039.

Years until 31.12.99

E9, 30, FF, 01, F7, 3F, 59, DC

00, 01, 7F, 0F, 3F, FF, 68, 6B

Then I called this card. There are 6 units remaining.

E9, 30, FF, 01, F7, 3F, 59, DC

00, 00, 00, 00, 3F, FF, 68, 6B

Finally, it ended.

E9, 30, FF, 01, F7, 3F, 59, DC

00, 00, 00, 00, 00, FF, 68, 6B

Field Assignment

1. The first 4 bytes are some identifier. On all maps

E9, 30, FF, 01.

2. The next 4 bytes are the serial number of the card. By placing the bits in bytes in the reverse order, and then bytes themselves, we get a 32-bit integer without a sign. For example, bytes F7, 3F, 59, DC with the reverse order of the bits look like EF, FC, 9A, 3B. We get the card number 0x3B9AFCEF or 1000013039 in decimal form. It is easy to see that the number printed on the card always consists of 10 digits, and the first 4 digits - the card's capacity.

3. The next 5 bytes is the number of units remaining on the card. The storage format is very interesting: the number of single bits in the byte, starting with the younger one, is used. Accordingly, the value of byte 07 corresponds to 3 units, the value of 1F to five, and 7F to seven units. The maximum number of units stored in the byte is seven. Correspondingly, the octal number system is used. Thus, bytes 00, 01, 7F, 0F, 3F correspond to 01746 in the octal system or 998 units in the decimal system. The maximum number of units can be expressed by the number 77777 in the octal or 32767 in the decimal system.

4. The next byte is always FF. It seems that it is not used.

5. The last two bytes seem to express a CRC or other control code for the first 8 permanent bytes, because When spending units they do not change, but on

Each card they own. While their purpose is not clear. It was found that the expiry date was not recorded on the card. Apparently, he somehow connected with the card number.

Perhaps, each expiration date corresponds to a certain range of numbers.

As already mentioned, out of 10 digits of the number the first 4 express the capacity of the card. The remaining 6 do not identify the card unequivocally; Already issued more than a million cards. In total, with a similar numbering system, there can be 6 million maps:

* For 25 units with numbers from 0025000000 to 0025999999

* For 50 units with numbers from 0050000000 to 0050999999

* 100 units with numbers from 0100000000 to 0100999999

* For 200 units with numbers from 0200000000 to 0200999999

* 400 units with numbers from 0400000000 to 0400999999

* Per 1000 units with numbers from 1000000000 to 1000999999