I recently got my hands on an old key-card terminal. I decided to take it apart and figure out how it worked.
It is quite heavy for its size, the case is made out of 2mm thick stainless steel. It weighs about 0.7 kg.
The front is attached to the main pcb with 7-wire connector. It turned out to be an ordinary 4*3 button array. The connected wires were:
Rows, top-down: brown, blue, green, white
Columns, left-right: black, red, purple
The pcb is all through-hole technology. There is no microcontroller, no epoxy blobs and all the IC's are from the 74HC and 4000 series, so the circuit should be fairly easy to reverse engineer.
The card reader was easily removed.
Swedish quality.
I guess this board was manufactured in march 1999. I could not find any information on ASI konsult, but Teletron was a Swedish security systems company that merged with ISEC in 2002 and was declared bankrupt in 2003.
I thought the card reader could be a good part to start analyse.
The first hit on google revealed the
datasheet! =) It is a single track reader for track 2 of a magnetic card.
I hooked it up to my BusPirate:
I used the
raw-bitbang-mode of the BusPirate to read out data from the data and clock lines. With a few lines of python code I ended up with this plot after swiping an old discount card:
The blue line is the clock and the red is the data line. (The units on the horizontal axis are the sample numbers.) This looks very much like figure 2-2 in the datasheet.
Sampling the data for every falling edge on the clock resulted in this binary data:
...0000000011010100111110010101010000100011001000100100010011110010110101000111001001100001001001011010000010000000101000111110111000000000...
The
Wikipedia article on magnetic cards describes the format of track 2. With this information, the bits were decoded to:
;9752238293627904=1109?6
Wich is the card number and expiration date. The '6' in the end is the checksum; all values xor:ed together should equal 0.
This started out well, I'll have a closer look at the PCB later on.
