[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Electronic Telephone Cards (Part I) ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #48 | Release date : 1996-01-09 | Editor : voyager
IntroductionPhrack Staff
Phrack Loopback / EditorialPhrack Staff
Line Noise (Part I)various
Line Noise (Part II)various
Phrack Pro-Philes on the New EditorsPhrack Staff
Motorola Command Mode InformationCherokee
Tandy / Radio Shack Cellular PhonesDamien Thorn
The Craft Access TerminalBoss Hogg
Information About NT's FMT-150/B/C/DStaTiC
Electronic Telephone Cards (Part I)unknown
Electronic Telephone Cards (Part II)unknown
Keytrap RevisitedSendai
Project Neptunedaemon9
IP-Spoofing Demystifieddaemon9
Netmondaemon9
The Truth...and Nothing but the TruthSteve Fleming
International Scenesvarious
Phrack World NewsDatastream Cowboy
Title : Electronic Telephone Cards (Part I)
Author : unknown
                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 10 of 18


              Electronic Telephone Cards: How to make your own!
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I guess that Sweden is not the only country that employs the electronic
phone card systems from Schlumberger Technologies. This article will
explain a bit about the cards they use, and how they work. In the end of
this article you will also find an UUEncoded file which contains source
code for a PIC16C84 micro-controller program that completely emulates a
Schlumberger Telephone card and of course printed circuit board layouts
+ a component list... But before we begin talking seriously of this
matter I must first make it completely clear that whatever you use this
information for, is entirely YOUR responsibility, and I cannot be held
liable for any problems that the use of this information can cause for
you or for anybody else. In other words: I give this away FOR FREE, and
I don't expect to get ANYTHING back in return!

The Original Telephone Card:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since I probably would have had a hard time writing a better article
than the one Stephane Bausson from France wrote a while ago, I will not
attempt to give a better explanation than that one; I will instead
incorporate it in this phile, but I do want to make it clear that the
following part about the cards technical specification was not written
by me: Merely the parts in quotes are things added by me... Instead I
will concentrate on explaining how to build your own telephone card
emulator and how the security measures in the payphone system created by
Schlumberger Technologies work, and how to trick it... But first, let's
have a look at the technical specifications of the various "smart memory
card" systems used for the payphones.


<Start of text quoted from Stephane Bausson (sbausson@ensem.u-nancy.fr)>
------------------------------------------------------------------------------

===============================================================================
	      What you need to know about electronics telecards
===============================================================================

(C) 10-07-1993 / 03-1994
Version 1.06
Stephane BAUSSON

Email: sbausson@ensem.u-nancy.fr
Smail: 4, Rue de Grand; F-88630 CHERMISEY; France
Phone: (33)-29-06-09-89
-------------------------------------------------------------------------------
    Any suggestions or comments about phonecards and smart-cards are welcome
-------------------------------------------------------------------------------

			      Content
			     ---------

I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur:

    I-1) Introduction:
    I-2) SCHEMATICS of the chip:
    I-3) PINOUT of the connector:
    I-4) Main features:
    I-5) TIME DIAGRAMS:
    I-6) Memory MAP of cards from France and Monaco:
    I-5) Memory MAP of cards from other countries:

II ) The cards from ODS: (German cards)

    II-1) Introduction:
    II-2) Pinout:
    II-3) Main features:
    II-4) Time Diagrams:
    II-5) Memory Map:
    II-6) Electrical features:


III) The Reader Schematic:

IV) The program:

-------------------------------------------------------------------------------

I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur: (French cards)
    ======================================================================

    I-1) Introduction:
	 ------------

       You must not think that the electronics phone-cards are
completely secret things, and that you can not read the information that
is inside. It is quite false, since in fact an electronic phonecard does
not contain any secret information like credit cards, and an electronic
phonecard is nothing else than a 256 bit EPROM with serial output.

       Besides do not think that you are going to refill them when you
understand how they work, since for that you should reset the 256 bits
of the cards by erasing the whole card. But the chip is coated in UV
opaqued resin even if sometimes you can see it as transparent! Even if
you were smart enough to erase the 256 bits of the card you should
program the manufacturer area, but this is quite impossible since these
first 96 bits are write protected by a lock-out fuse that is fused after
the card programming in factory.

       Nevertheless it can be very interesting to study how these cards
work, to see which kind of data are inside and how the data are mapped
inside or to see how many units are left inside for example. Besides
there are a great number of applications of these cards when there are
used (only for personal usage of course) , since you can use them as key
to open a door, or you can also use them as key to secure a program,
etc...

       These Telecards have been created in 1984 and at this time
constructors decided to build these cards in NMOS technology but now,
they plan to change by 1994 all readers in the public to booths and use
CMOS technology. Also they plan to use EEPROM to secure the cards and to
add many useful informations in, and you will perhaps use phone cards to
buy you bread or any thing else.

These cards are called Second Generation Telecards.


    I-2) SCHEMATICS of the chip:
	 ----------------------

		    .-------------------.
		    |                   |
		  --|> Clk              |
		    | _                 |
		  --| R/W               |
		    |                   |
		  --| Reset             |
		    |                   |
		  --| Fuse              |
		    |                   |
		  --| Vpp               |
		    |                   |
		    |                   |
		    '-.               .-'
		      |               |
		    .-------------------.
		    |               Out |-- serial output
		    '-------------------'


    I-3) PINOUT of the connector:
	-------------------------


	  AFNOR CHIP                                   ISO CHIP
	  ----------                                   --------

 -------------+-------------                 -------------+-------------
|   8         |         4   |               |   1         |         5   |
|             |             |               |             |             |
+-------\     |     /-------+               +-------\     |     /-------+
|   7    +----+----+    3   |               |   2    +----+    +    6   |
|        |         |        |               |        |         |        |
+--------|         |--------+               +--------|         |--------+
|   6    |         |    2   |               |   3    |         |    7   |
|        +    +----+        |               |        +----+----+        |
+-------/     |     \-------+               +-------/     |     \-------+
|   5         |         1   |               |   4         |         8   |
|             |             |               |             |             |
 -------------+-------------                 -------------+-------------

				     NB: only the position of the chip is ISO
					 standardized and not the pinout

PINOUT:    1 : Vcc = 5V        5 : Gnd
------     2 : R/W             6 : Vpp = 21V
	   3 : Clock           7 : I/O
	   4 : Reset           8 : Fuse

    I-4) Main features:
	---------------

	- Synchronous protocol.
	- N-MOS technology.
	- 256x1 bit organization.
	- 96 written protected by a lock-out fuse.
	- Low power 85mW in read mode.
	- 21 V programming voltage.
	- Access time: 500ns
	- Operating range: -100C +700C
	- Ten year data retention.


    I-5) TIME DIAGRAMS:
	---------------

+21V                                     _____________
+5V ____________________________________|             |_________________ Vpp
					:             :
+5V                  ___________________:_____________:_________________ Reset
0V  ________________|                   :             :
		    :                   :             :
+5V     ____        :      ____         :       ______:______
0V  ___|    |_______:_____|    |________:______|      :      |__________ Clock
       :    :       :     :    :        :      :      :      :
+5V    :    :       :     :    :        :______:______:      :           _
0V  ___:____:_______:_____:____:________|      :      |______:__________ R/W
       :    :       :     :    :        :      :      :      :
+5V    :    :       :_____:    :________:      :      :      :__________
0V  XXXXXXXXXXXXXXXXX_____XXXXXX________XXXXXXXXXXXXXXXXXXXXXX__________ Out
       :    :       :     :    :        :<-----><---->:      :
       :    :       :     :    :        :10 to   10 to       :
       :    :       :     :    :        :50 ms   50ms        :
	Reset        Bit 1        Bit2                           Bit 3
	card        reading      reading  Bit2 writing to 1     reading



    I-6) MEMORY MAP of cards from France and Monaco:
	--------------------------------------------

Bytes       Bits      Binary     Hexa

		    +-----------+-----+
  1        1 --> 8  |           |     | ---> Builder code.
		    +-----------+-----+
  2       9 --> 16  | 0000 0011 | $03 | ---> a French telecard
		    +-----------+-----+
  3      17 --> 24  |           |     |
		    +-----------+-----+
  4      25 --> 32  |           |     |
		    +-----------+-----+
  5      33 --> 40  |           |     |
		    +-----------+-----+
  6      41 --> 48  |           |     |
		    +-----------+-----+
  7      49 --> 56  |           |     |
		    +-----------+-----+
  8      57 --> 64  |           |     |
		    +-----------+-----+
  9      65 --> 72  |           |     |
		    +-----------+-----+
 10      73 --> 80  |           |     |
		    +-----------+-----+
 11      81 --> 88  |           |     |
		    +-----------+-----+
 12      33 --> 40  | 0001 0011 | $13 | ---> 120 units card
		    | 0000 0110 | $06 | --->  50 units card
		    | 0000 0101 | $05 | --->  40 units card
		    +-----------+-----+
 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
		    |           |     |      is used, then a bit is set to "1";
                    |           |     |      Generally the first ten units are
		    |           |     |      fused in factory as test.
		    |           |     |
		    |           |     |
		    |           |     |
		    +-----------+-----+
 32    249 --> 256  | 1111 1111 | $FF | ---> the card is empty
		    +-----------+-----+



    I-7) MEMORY MAP of the other cards:
	-------------------------------

Bytes       Bits      Binary     Hexa

		    +-----------+-----+
  1        1 --> 8  |           |     |
		    +-----------+-----+
  2       9 --> 16  | 1000 0011 | $83 | ---> a telecard
		    +-----------+-----+-----------+-----+
3-4      17 --> 32  | 1000 0000 | $80 | 0001 0010 | $12 | ---> 10 units card
		    |           |     | 0010 0100 | $24 | ---> 22 units card
		    |           |     | 0010 0111 | $27 | ---> 25 units card
		    |           |     | 0011 0010 | $32 | ---> 30 units card
		    |           |     | 0101 0010 | $52 | ---> 50 units card
		    |           |     | 1000 0010 | $82 | ---> 80 units card
		    | 1000 0001 | $81 | 0000 0010 | $02 | ---> 100 units card
		    |           |     | 0101 0010 | $52 | ---> 150 units card
		    +-----------+-----+-----------+-----+
  5      33 --> 40  |           |     |
		    +-----------+-----+
  6      41 --> 48  |           |     |
		    +-----------+-----+
  7      49 --> 56  |           |     |
		    +-----------+-----+
  8      57 --> 64  |           |     |
		    +-----------+-----+
  9      65 --> 72  |           |     |
		    +-----------+-----+
 10      73 --> 80  |           |     |
		    +-----------+-----+
 11      81 --> 88  |           |     |
		    +-----------+-----+
 12      89 --> 96  | 0001 1110 | $1E | ---> Sweden
		    | 0010 0010 | $22 | ---> Spain
		    | 0011 0000 | $30 | ---> Norway
		    | 0011 0011 | $33 | ---> Andorra
		    | 0011 1100 | $3C | ---> Ireland
		    | 0100 0111 | $47 | ---> Portugal
		    | 0101 0101 | $55 | ---> Czech Republic
		    | 0101 1111 | $5F | ---> Gabon
		    | 0110 0101 | $65 | ---> Finland
		    +-----------+-----+
 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
		    |           |     |      is used, then a bit is set to "1";
		    |           |     |
		    |           |     |      Generally the first two units are
		    |           |     |      fused in factory as test.
		    |           |     |
		    |           |     |
		    +-----------+-----+
 32    249 --> 256  | 0000 0000 | $00 |
		    +-----------+-----+



II ) The cards from ODS, Giesecke & Devrient, ORGA Karten systeme,
     =============================================================
     Uniqua, Gemplus, Schlumberger and Oldenbourg Kartensysteme:
     ===========================================================

    II-1) Introduction:
	  ------------

        These cards are in fact 128 bit memory in NMOS technology, and
the map of these cards are the following:

	       64 bit EPROM written protected (manufacturer area).
	       40 bit EEPROM (5x8 bits).
	       24 bits set to "1".


    II-2) Pinout:
	 --------

	   ISO 7816-2

  -------------+-------------
 |   1         |         5   |        Pinout:
 |             |             |        -------
 +-------\     |     /-------+
 |   2    +----+    +    6   |          1 : Vcc = 5V    5 : Gnd
 |        |         |        |          2 : Reset       6 : n.c.
 +--------|         |--------+          3 : Clock       7 : I/O
 |   3    |         |    7   |          4 : n.c.        8 : n.c.
 |        +----+----+        |
 +-------/     |     \-------+      n.c. : not connected
 |   4         |         8   |
 |             |             |
  -------------+-------------


    II-3) Main features:
	 ---------------

	- ISO 7816- 1/2 compatible.
	- use a single 5V power supply.
	- low power consumption.
	- NMOS technology.

    II-4) Time Diagrams:
	----------------

Reset:
------
  The address counter is reset to 0 when the clock line CLK is raised
while the control line R is high. Note that the address counter can not
be reset when it is in the range 0 to 7.

      __________________
_____|                  |_____________________________________________ Reset
     :                  :
     :        _____     :  _____       _____       _____       _____
_____:_______|     |____:_|     |_____|     |_____|     |_____|     |_ Clk
     :       :          : :     :     :     :     :     :     :     :
_____:_______:__________:_:_____:_____:_____:_____:_____:_____:_____:_
_____:___n___|_____0____:_|_____1_____|_____2_____|_____3_____|___4_:_ (Address)
     :                  :       :           :           :           :
_____:                  :_______:___________:___________:___________:_
_____XXXXXXXXXXXXXXXXXXXX_______|___________|___________|___________|_ Data
Bit n                      Bit 0    Bit 1        Bit2       Bit3

   The address counter is incremented by 1 with each rising edge of the
clock signal Clk, for as long as the control line R remains low. The
data held in each addressed bit is output to I/O contact each time Clk
falls. It is not impossible to decrement the address counter, therefore
to address an earlier bit, the address counter must be reset then
incremented to require value.


Write:
------
   All unwritten or erased bits in the address 64-104 may be unwritten
to. When a memory cell is unwritten to, it is set to 0. The addressed
cell is unwritten to by the following sequence.

1- R is raised while Clk is low, to disable address counter increment
for one clock pulse.

2- Clk is then raised for a minimum of 10ms to write to the address bit.

When to write operation ends, and Clk falls, the address counter is
unlocked, and the content of the written cell, which is now 0, is output
to I/O contact if the operation is correct.

The next Clk pulse will increment the address by one, then the write
sequence can be repeated to write the next bit.

	      _____                                _____
____________|     |______________________________|     |_______________ Reset
            :                                    :
    ___     :           _____           ___      :           _____
___|   |____:__________|     |_________|   |_____:__________|     |____ Clk
   :        :          :     :         :   :     :          :     :
___:________:__________:_____:_________:___:_____:__________:_____:_____
n  |      n+1          |     n+2       |   :    n+3         |     :      (Addr)
---'--------:----------'-----:---------'---:-----:----------'-----:-----
            :          :     :             :     :          :     :
________   _:          :     : ____________:  ___:          :     :
________XXX_XXXXXXXXXXXXXXXXXXX____________ XX___XXXXXXXXXXXXXXXXXXXXXXX I/O
  n      n+1           :     :     n+1        n+2           :     :
                       :     :                              :     :
                        write                                write


WriteCarry:
-----------

   A counter is erased by performing the WRITECARRY sequence on the
stage of the next highest weighing to that to be erased.

The writecarry sequence is as follows:

1 - Set the address counter to an unwritten bit in the next highest
counter stage to that to be erased.

2 - Increment is disabled on the following rising edge of R where Clk
remains low.

3 - Clk is then raised for a minimum of 10ms, while R is low, to write
to the next address bit.

4 - R is the raised again while Clk remains low to disable increment a
second time.

5 - Clk is the raised for a minimum of 1ms, while R is low, to write to
the addressed bit a second time, erasing the counter level immediately
below that the addressed bit.

       _____                      _____
______|     |____________________|     |_________________________________  Rst
      :                          :
      :            _______       :              _______        ___
______:___________|       |______:_____________|       |______|   |______  Clk
      :           :       :      :             :       :      :   :
      :           :       :      :             :       :      :   :
<------------------------- address n ------------------------>:<--- n+1 ------
      :           :       :      :             :       :          :
      :           :       :      :             :       :          :
______:           :       :______:             :       :__________: _____
______XXXXXXXXXXXXXXXXXXXXX______XXXXXXXXXXXXXXXXXXXXXXX__________XX_____  I/O
		  :       :  n                 :       :     n        n+1
		  :       :                    :       :
		    Write                        Erase

     II-5) Memory Map:
	 -------------

Bytes       Bits      Binary     Hexa

		    +-----------+-----+
  1       1 -->   8 |           |     |
		    +-----------+-----+
  2       9 -->  16 | 0010 1111 | $2F | ---> Germany
		    | 0011 0111 | $37 | ---> Netherland
		    | 0011 1011 | $3B | ---> Greece
		    +-----------+-----+
  3      17 -->  24 |           |     |
  4      25 -->  32 |           |     | ---> Issuer area (written protected)
  5      33 -->  40 |           |     |
  6      41 -->  48 |           |     |
  7      49 -->  56 |           |     |
  8      57 -->  64 |           |     |
		    +-----------+-----+
  9      65 -->  72 |           |     | ---> c4096  )
 10      73 -->  80 |           |     | --->  c512  )
 11      81 -->  88 |           |     | --->   c64  ) 5 stage octal counter
 12      89 -->  96 |           |     | --->    c8  )
 13      97 --> 104 |           |     | --->    c0  )
		    +-----------+-----+
 14     105 --> 112 | 1111 1111 | $FF |
 15     113 --> 120 | 1111 1111 | $FF | ---> area of bits set to "1"
 16     120 --> 128 | 1111 1111 | $FF |
		    +-----------+-----+

The Issuer area:
----------------

    This issuer consists of 40 bits. The contents of the issuer area are
specified by the card issuer, and are fixed during the manufacturing
process. The contents of the issuer area will include data such as
serial numbers, dates, and distribution centers.

This area may only be read.

The Counter area:
-----------------

   The counter area stores the card's units. Its initial value is
specified by the card issuer and set during manufacturing.

The counter area is divided into a 5 stage abacus.

Note that you can only decrease the counter and it is not authorized to
write in the counter a value greater than the old value.


    I-6) Electrical features:
	--------------------

Maximum ratings:
----------------

		       +--------+------+------+------+
		       | Symbol | Min  |  Max | Unit |
+----------------------+--------+------+------+------+
| Supply voltage       |   Vcc  | -0.3 |    6 |   V  |
+----------------------+--------+------+------+------+
| Input voltage        |   Vss  | -0.3 |    6 |   V  |
+----------------------+--------+------+------+------+
| Storage temperature  |  Tstg  |  -20 |  +55 |  0C  |
+----------------------+--------+------+------+------+
| Power dissipation   |    Pd  |   -  |   50 |  mW  |
+----------------------+--------+------+------+------+


DC characteristics:
------------------
			    +--------+-----+-----+-----+------+
			    | Symbol | Min.| Typ.| Max.| Unit |
+---------------------------+--------+-----+-----+-----+------+
| Supply current            |   Icc  |  -  |  -  |   5 |   mA |
+---------------------------+--------+-----+-----+-----+------+
| Input Voltage (low)       |    Vl  |   0 |  -  | 0.8 |    V |
+---------------------------+--------+-----+-----+-----+------+
| Input voltage (high)      |    Vh  | 3.5 |  -  | Vcc |    V |
+---------------------------+--------+-----+-----+-----+------+
| Input current R           |    Ih  |  -  |  -  | 100 |   uA |
+---------------------------+--------+-----+-----+-----+------+
| Input current Clk         |    Il  |  -  |  -  | 100 |   uA |
+---------------------------+--------+-----+-----+-----+------+
| Output current (Vol=0.5V) |   Iol  |  -  |  -  |  10 |   uA |
+---------------------------+--------+-----+-----+-----+------+
| Output current (Voh=5V)   |   Ioh  |  -  |  -  | 0.5 |   mA |
+---------------------------+--------+-----+-----+-----+------+

AC characteristics:
------------------     +--------+------+------+------+
		       | Symbol | Min. | Max. | Unit |
+----------------------+--------+------+------+------+
| Pulse duration       |    tr  |   50 |   -  |  us  |
| R address reset      |        |      |      |      |
+----------------------+--------+------+------+------+
| Pulse duration       |    ts  |   10 |   -  |  us  |
| R write              |        |      |      |      |
+----------------------+--------+------+------+------+
| High level Clk       |    th  |    8 |   -  |  us  |
+----------------------+--------+------+------+------+
| Low level Clk        |    tl  |   12 |   -  |  us  |
+----------------------+--------+------+------+------+
| Write window         | Twrite |   10 |   -  |  ms  |
+----------------------+--------+------+------+------+
| Erase window         | Terase |   10 |   -  |  ms  |
+----------------------+--------+------+------+------+
|                      |   tv1  |    5 |   -  |  us  |
+----------------------+--------+------+------+------+
|                      |   tv2  |  3.5 |   -  |  us  |
+----------------------+--------+------+------+------+
|                      |   tv3  |  3.5 |   -  |  us  |
+----------------------+--------+------+------+------+
|                      |   tv4  |  3.5 |   -  |  us  |
+----------------------+--------+------+------+------+
|                      |   tv5  |  3.5 |   -  |  us  |
+----------------------+--------+------+------+------+
|                      |   tv6  |    5 |   -  |  us  |
+----------------------+--------+------+------+------+
|                      |   tv7  |    5 |   -  |  us  |
+----------------------+--------+------+------+------+
|                      |   tv8  |   10 |   -  |  us  |
+----------------------+--------+------+------+------+



III) The Reader Schematic:
    ======================

   External 5V (Optional)

5V o------,
	  |                 /             T2  PNP      d13  r7 10
0V o--,   |                /               BC 177     |\ |  _____
      |   |      ,-------o/   o--*------. E      C .--| >+-[_____]--------,
    __+__ |      |               |       \        /   |/ |                |
    \\\\\ |    __|__ Battery     |         \    /                         |
	  |      -   22.5V       |       ---------                        |
.......   |      |               |   _____   |   _____                    |
       :  |    __+__             +--[_____]--*--[_____]--,                |
   D2  :  |    \\\\\                r6 150k     r5 15k   |                |
4 o-------|---------------------------*------------------|-------------,  |
       :  |                           |   r3 220k       / C            |  |
   Ack :  |                           |   _____      |/    T1 - NPN    |  |
10 o------|--------.                  '--[_____]-*---|      BC107      |  |
       :  |        |                      _____  |   |\                |  |
       : ,-,      ,-,                 +--[_____]-'      \ E            |  |
       : | |r2    | |r1               |  r4 390k         |             |  |
       : | |220   | |22k            __+__              __+__           |  |
       : |_|      |_|               \\\\\              \\\\\           |  |
       :  |  |\ |  |                                                   |  |
       :  *--| >+--|----------------*----------------------------------|--*
       :  |  |/ |  |          ,-----|-----------------------------,    |  |
       :  |  d1    |          |     |   ,----------,----------,   |    |  |
       :  |        |          |     *---|--*  Fuse | Reset *--|---'    |  |
       :  |        |          |     |   |----------|----------|        |  |
   D0  :  |        |          |   ,-|---|--*   I/O | Clk   *--|---,    |  |
2 o-------|--------|----------'   | |   |----------|----------|   |    |  |
       :  |        |              | '---|--*   Vpp | R/W   *--|---|----'  |
  Busy :  |        |              |     |----------|----------|   |       |
11 o------|--------|--------------' ,---|--*   Gnd | 5V    *  |   |       |
       :  |        |                |   '----------'-------|--'   |       |
   D1  :  |        |              __+__    Chip connector  |      |       |
3 o-------|--------|--------,     \\\\\                    |      |       |
       :  |        |        '------------------------------|------'       |
  Str  :  |  |\ |  |                                       |              |
1 o-------*--| >+--*----*----*----*----*-------------------'              |
       :   d2|/ |  |d3  |d4  |d5  |d6  |d7                                |
       :          -+-  -+-  -+-  -+-  -+-                                 |
       :          /_\  /_\  /_\  /_\  /_\                                 |
   D3  :           |    |    |    |    |   |\ | d8                        |
5 o----------------*----|----|----|----|---| >+-------*-------------------'
       :                |    |    |    |   |/ |       |
       :                |    |    |    |              |
   D4  :                |    |    |    |   |\ | d9    |
6 o---------------------*----|----|----|---| >+-------*
       :                     |    |    |   |/ |       |
       :                     |    |    |              |
   D5  :                     |    |    |   |\ | d10   |
7 o--------------------------*----|----|---| >+-------*
       :                          |    |   |/ |       |
       :                          |    |              |
   D6  :                          |    |   |\ | d11   |
8 o-------------------------------*----|---| >+-------*
       :                               |   |/ |       |
       :                               |              |
   D7  :                               |   |\ | d12   |
9 o------------------------------------*---| >+-------'
       :                                   |/ |
       :
       :
25 o------.
       :  |
.......:  |                                 d1 to d13: 1N4148
	__+__
	\\\\\

Centronics port




IV) The program:
    ===========

    The following program will enable you to read telecards on you PC if you
build the reader.

--------------- cut here (begin)
{*****************************************************************************}
{                             T E L E C A R D . PAS                           }
{*****************************************************************************}
{   This program enable you to dumb the memory of electronics phonecards      }
{   from all over the world, so that you will be able to see which country    }
{   the card is from how many units are left and so on ....                   }
{*****************************************************************************}
{                                                                             }
{                        Written by Stephane BAUSSON (1993)                   }
{                                                                             }
{                         Email: sbausson@ensem.u-nancy.fr                    }
{                                                                             }
{                       Snail Mail Address: 4, Rue de Grand                   }
{                                           F-88630 CHERMISEY                 }
{                                           France                            }
{                                                                             }
{*****************************************************************************}
{* Thanks to: Tomi Engdahl (Tomi.Engdahl@hut.fi)                             *}
{*****************************************************************************}

USES crt,dos;

CONST port_address=$378;     { lpr1 chosen }

TYPE string8=string[8];
     string2=string[2];

VAR reg         : registers;
    i,j         : integer;
    Data        : array[1..32] of byte;
    car         : char;
    byte_number : integer;
    displaying  : char;

{-----------------------------------------------------------------------------}

PROCEDURE Send(b:byte);

  BEGIN port[port_address]:=b;
  END;

{-----------------------------------------------------------------------------}

FUNCTION Get:byte;

  BEGIN get:=port[port_address+1];
  END;

{-----------------------------------------------------------------------------}
{ FUNCTION dec2hexa_one(decimal_value):hexa_character_representation;         }
{                                                                             }
{       - convert a 4 bit long decimal number to hexadecimal.                 }
{-----------------------------------------------------------------------------}

FUNCTION dec2hexa_one(value:byte):char;

  BEGIN case value of
	  0..9   : dec2hexa_one:=chr(value+$30);
	  10..15 : dec2hexa_one:=chr(value+$37);
	END;
  END;

{-----------------------------------------------------------------------------}
{ FUNCTION d2h(decimal_byte):string2;                                         }
{                                                                             }
{       - convert a decimal byte to its hexadecimal representation.           }
{-----------------------------------------------------------------------------}

FUNCTION d2h(value:byte):string2;

  VAR msbb,lsbb:byte;

  BEGIN msbb:=0;
	if ( value >= $80 ) then
	BEGIN msbb:=msbb+8;
	      value:=value-$80;
	END;
	if ( value >= $40 ) then
	BEGIN msbb:=msbb+4;
	      value:=value-$40;
	END;
	if ( value >= $20 ) then
	BEGIN msbb:=msbb+2;
	      value:=value-$20;
	END;
	if ( value >= $10 ) then
	BEGIN msbb:=msbb+1;
	      value:=value-$10;
	END;

	lsbb:=0;
	if ( value >= $08 ) then
	BEGIN lsbb:=lsbb+8;
	      value:=value-$08;
	END;
	if ( value >= $04 ) then
	BEGIN lsbb:=lsbb+4;
	      value:=value-$04;
	END;
	if ( value >= $02 ) then
	BEGIN lsbb:=lsbb+2;
	      value:=value-$02;
	END;
	if ( value >= $01 ) then
	BEGIN lsbb:=lsbb+1;
	      value:=value-$01;
	END;
	d2h := dec2hexa_one(msbb) + dec2hexa_one(lsbb);
  END;

{-----------------------------------------------------------------------------}

Function Binary( b : byte):string8;

  var weight : byte;
      s      : string8;

  BEGIN weight:=$80;
	s:='';
	while (weight > 0) do
	BEGIN if ((b and weight) = weight) then s:=s+'1'
	      else s:=s+'0';
	      weight:=weight div $02;
	END;
	Binary:=s;
  END;

{-----------------------------------------------------------------------------}

FUNCTION Units:byte;

  VAR  u, i : integer;
       s    : string8;

  BEGIN u:=0;
	i:=13;
	while (Data[i] = $FF) do
	BEGIN u:=u+8;
	      i:=i+1;
	END;
	s:=Binary(Data[i]);
	while(s[1]='1') do
	      BEGIN inc(u);
	      s:=copy(s,2,length(s));
	END;
	units:=u;
  END;

{-----------------------------------------------------------------------------}

function Units_2:LongInt;

  BEGIN Units_2:=4096*Data[9]+512*Data[10]+64*Data[11]+8*Data[12]+Data[13];
  END;

{-----------------------------------------------------------------------------}

PROCEDURE Card_Type;

  BEGIN case Data[2] of
	 $03: BEGIN write('Telecard - France - ');
		    case Data[12] of
		     $13: write('120 Units - ',units-130,' Units left');
		     $06: write('50 Units - ',units-60,' Units left');
		     $15: write('40 Units - ',units-40,' Units left');
		    END;
	      END;
	 $2F:BEGIN write('Telecard - Germany - ', Units_2, ' Units left');
	     END;
	 $3B:BEGIN write('Telecard - Greece - ', Units_2, ' Units left');
	     END;
	 $83:BEGIN write('Telecard');
		   case Data[12] of
		     $1E: write(' - Sweden');
		     $30: write(' - Norway');
		     $33: write(' - Andorra');
		     $3C: write(' - Ireland');
		     $47: write(' - Portugal');
		     $55: write(' - Czech Republic');
		     $5F: write(' - Gabon');
		     $65: write(' - Finland');
		   END;
		   if (Data[12] in [$30,$33,$3C,$47,$55,$65]) then
		   BEGIN case ((Data[3] and $0F)*$100+Data[4]) of
			  $012: write (' - 10 Units - ',units-12,' Units left');
			  $024: write (' - 22 Units - ',units-24,' Units left');
			  $027: write (' - 25 Units - ',units-27,' Units left');
			  $032: write (' - 30 Units - ',units-32,' Units left');
			  $052: write (' - 50 Units - ',units-52,' Units left');
			  $067: write (' - 65 Units - ',units-62,' Units left');
			  $070: write (' - 70 Units - ',units-70,' Units left');
			  $102: write (' - 100 Units - ',units-102,' Units left');
			  $152: write (' - 150 Units -  ',units-152,' Units left');
			 END;
		    END;
{                    write(' - N0 ',Data[5]*$100+Data[6]);}
	      END;
	END;
  END;

{-----------------------------------------------------------------------------}

PROCEDURE waiting;

  BEGIN send($00);
	write('Enter a card in the reader and press a key ...');
	repeat until key pressed;
	gotoxy(1, wherey);
	clreol;
  END;

{-----------------------------------------------------------------------------}

PROCEDURE Full_Displaying;

  BEGIN writeln('Memory dump:');
	for i:=1 to 80 do write('-');
	for i:=1 to (byte_number div 6 + 1) do
	BEGIN for j:=1 to 6 do
	      BEGIN if j+6*(i-1) <= byte_number then write(binary(Data[j+6*(i-1)]):9);
	      END;
	      gotoxy(60,wherey);
	      for j:=1 to 6 do
	      if j+6*(i-1) <= byte_number then write(d2h(Data[j+6*(i-1)]),' ');
	      writeln;
	END;
	for i:=1 to 80 do write('-');
	Card_Type;
	writeln;
  END;

{-----------------------------------------------------------------------------}

PROCEDURE Short_Displaying;

  VAR j : integer;

  BEGIN for j:=1 to byte_number do
	BEGIN write(d2h(Data[j]),' ');
	END;
	writeln;
  END;

{-----------------------------------------------------------------------------}

PROCEDURE Reading;

  VAR i, j  : integer;
      Value : byte;

  BEGIN send($FE);
	send($F8);
	for i:=1 to 32 do
	BEGIN Value:=0;
	      for j:=1 to 8 do
	      BEGIN Value:=Value*$02 + ((get and $08) div $08);
		    send($FB);
		    delay(1);
		    send($F8);
	      END;
	      Data[i]:=Value;
	END;
	case displaying of
	  'F':full_displaying;
	  'S':short_displaying;
	END;
  END;

{-----------------------------------------------------------------------------}

PROCEDURE writing;

  VAR i,n:integer;
      car:char;

  BEGIN write('Which bit do you want to set to "1" : ');
	readln(n);

	waiting;
	car:=readkey;

	send($FA);
	send($F8);
	for i:=1 to n do
	BEGIN send($F9);
	      if i=n then
	      BEGIN send($FD);
		    delay(20);
		    send($FF);
		    delay(20);
	      END;
	      send($FB);
	END;
	reading;
  END;

{-----------------------------------------------------------------------------}

PROCEDURE Saving;

  VAR filename : string;
      f        : text;
      i        : word;

  BEGIN write('Enter the filename: ');
	readln(filename);
	assign(f, filename);
	rewrite(f);
	for i:=1 to byte_number do write(f,d2h(Data[i]),' ');
	close(f);
  END;

{-----------------------------------------------------------------------------}

PROCEDURE initialize;

  VAR i : integer;

  BEGIN byte_number:=32;
	displaying:='F';
	clrscr;
	writeln(' 1 - to dump a 256 bits card');
	writeln(' 2 - to dump a 128 bits card');
	writeln(' F - to display in full format');
	window(41,1,80,25);
	writeln(' S  - to display in short format');
	writeln(' F2 - to save in a file');
	writeln(' Q  - to exit the program');
	window(1,4,80,25);
	for i:=1 to 80 do write('=');
	window(1,5,80,25);
  END;

{=============================================================================}

BEGIN initialize;
      repeat waiting;
	     car:=upcase(readkey);
	     case car of
	      'W':writing;
	      'Q':;
	      '1':byte_number:=32;
	      '2':byte_number:=16;
	      'F','S':displaying:=car;
	      #00: BEGIN car:=readkey;
			 if car=#60 then saving;
		   END;
	      else reading;
	     END;
      until car='Q';
END.
--------------- cut here (end)





	_/_/_/_/_/               Stephane BAUSSON
       _/_/_/_/_/    Engineering student at ENSEM (Nancy - France)
      _/_/_/_/_/   Smail: 4, Rue de Grand, F-88630 CHERMISEY, France
     _/_/_/_/_/
    _/_/_/_/_/            Email: sbausson@ensem.u-nancy.fr

------------------------------------------------------------------------------
<End of text quoted from Stephane Bausson's text about the telephone cards>.

[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.