TUCoPS :: Hardware Hacks :: 170rev.txt

Model 170 Card Reader Reverse Engineering

Primitive Model 170 Card Reader Reverse Engineering
---------------------------------------------------



Introduction:
-------------

Recently I, *ahem*, acquired an American Magnetics model 170 card
reader. Originally, I thought I was getting a 171, which have various
SDKs and even an RS-232 jack on the back of them, which would have
made it very easy to produce some software for it.

But in an effort to always look on the bright side of things, I've
embarked on a small effort to find a method of interfacing one of
these things with a PC, but thanks to the inaccurate documentation
available, it's turning out to be a bit of a struggle. If you have any
info on these card readers, I'd love to hear about it.



Official Specs:
---------------

These card readers are supposed to support reading from magstripes,
and reading/writing to smart cards. They are supposed to be incredibly
durable little machines, specifically tuned toward fraud protection.
They apparently have an anti fraud censor that will be able to detect
any wires attached to an inserted card which is supposed to defeat a
common smart card attack. It's supposed to operate comfortably between
-25 and 70 degrees celcius, and is guaranteed for at least .5 million
card insertions.

It is supposed to come with a 26 pin, right angle, mount header with
a Molex part number of 87049-2616, and has an option for a latch
motor inside of it.



Actual Specs:
-------------

The one that I got is quite a bit different. All of the physical
specs seem to coincide with the published details. The pictures
match up, and mine even says "170 TDA,HD UP,FLG,SM,NT" on it,
whatever the fuck that means. It also has "P/N 509892-002C REV:C"
below that. I assume that means Part number and Revision. It also
has an S/N on it, which I assume stands for serial number.

It has 2 cool insertion detection mechanisms on it. It has the
very cool smart card thingies on it, and an even cooler magnetic
read head on it, but no latch motor, unfortunatley.

By the way, it's got the cool American Magnetics Eagle logo on it, 
a bar code, and, if you were wondering, American Magnetics has their
products made in China. A little ironic, hm?

But that's where the similarities stop. Mine has an unlabeled ribbon
cable connector with only 14 pins on it, making their pin listings
in their PDF completely useless to me. Oh well.




Reverse Engineering:
--------------------

So, what do you do if you've got a piece of undocumented hardware that
you desperatley want to interface with a PC? Good old mind numbing,
painstakingly tedious reverse engineering.

What I've done so far is measure the resistance between every pin while
there is no current flowing in the circuit at all, and while the
card reader was in 3 different states: Empty, Card partially inserted,
and Card fully inserted. Here's my results:


Resistance between pins:

2 and 4 - Norm: Low resitance. Once fully inserted, jumps to high resistance.

2 and 6 - Norm: Medium resistance. Seems to be slight changes in resistance
                as card is inserted.

2 and 9 - Norm: Low resistance. Jumps to high when card is partially
          inserted.

2 and 12 - Same as 2 and 4.

4 and 6 - Norm: Medium resistance. Slight change when card inserted.

4 and 9 - Same as 2 and 4.

4 and 10 - Same as 2 and 4 with more subtle jumps in resistance.

4 and 11 - Same as 2 and 4.

6 and 9 - Same as 2 and 4.

6 and 11 - Medium, unchanging resistance.

6 and 12 - Same as 2 and 4.

9 and 11 - Same as 2 and 4.

9 and 12 - Same as 2 and 4.

11 and 12 - Medium, unchanging resistance.


Note: All combinations not mentioned didn't permit electrical flow between
them.


Smart card connections:

Ok, another thing I've done is check the conductivity between the
smart card contacts and the pins on the ribbon cable.

Ok, I'm not exactly sure about wether there is some sort of convention
about calling the card contacts certain numbers, so I'll just give you
some ASCII art:

Here's your card:        Here's my numbering scheme:
/-------------\            /-------------\
|             |            |             |
|   O O O O   |            |   1 2 3 4   |
|   O O O O   |            |   5 6 7 8   |
|             |            |             |
|             |            |             |
|             |            |             |
|             |            |             |
\-------------/            \-------------/

As you can see, the one towards the end of the reader is the first row.
Anyways, it turns out there is a direct path between the contacts on
the card reader and the pins on the ribbon cable. Here they are:

Contact      Pin
   1.........10
   2.........7
   3.........2
   4.........5
   5.........13
   6.........8
   7.........14
   8.........3

I can't really see any pattern. Hmm... No bother.



Summary:
--------

So, what does this tell us? Not much, unfortunatley. However, knowledge of
these pins will be essential in the final software, I imagine.

However, it would be concievable that somebody would want to make a short
little program than once hooked up to the card reader would tell you
on your monitor wether there was a card inside it or not. I think I'll
try to make this as soon as I can get enough time to hack around with
a serial port, or go buy a bi-directional parallel cable...

The smart card can concievably be much more useful. You could directly
connect it to a parallel port and run software directly from that. See the
references section at the bottom for more info. Eventually, I'd like the
software set that I hope to produce to be able to support smart cards
in full.

Eventually I would like to see a full software set with all the bells and
whistles available for it, so everyone can see what exactly is stored on
their magstripes or smart cards. Let me know if you would like to help
out with this project.


Also, more stuff you might want to read:


This proves to be an effective way to get a model 170 card reader.
And the price is right:
http://www.hackcanada.com/canadian/payphones/payfone_assault.html

This documentation doesn't help a lot... But it's still useful... Kinda...
http://www.magstripe.com/manuals/UG-170F(C).pdf

Info on interfacing a smart card reader (Possibly The 170) with a parallel port.
http://hackcanada.com/ice3/card/pcsmart.html

Some (ugh) BASIC programs on manipulating certain types of smart cards. Not
to practical, but great proof of concept examples.
http://hackcanada.com/ice3/card/1smart.bas
http://hackcanada.com/ice3/card/2smart.bas




Good luck,

Fractal

06/17/2001

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH