The rise and fall of the novice phreaker
I was going to write something for a long time on Habr, nurtured ideas of all articles on very smart topics. But instead, I will now describe one autobiographical episode, of which I am very proud technically, but of which I am extremely sorry for the moral.
I will not hide names and details, because, firstly, it was a long time ago, and secondly, it completely logically ended itself and I don’t think that any of the participants in those events still treat them not as an instructive story from fighting youth. In addition, the technical details have long been outdated and hardly anyone will come in handy (and, in fact, neither the source nor the finished products have survived, for the reasons described below).
So, it was in 1997, when I was a second-year student at the St. Petersburg Shipwork (SPbSMTU). I came to Petersburg at the age of 21 consciously from the Kaliningrad region, where I had lived all my life before that. I already came up with a powerful IT background, because fanatically engaged in programming from about 13 years old (so that you can imagine the scale of fanaticism - I wrote two games and a graphic editor for the UKSC in octal machine codes, using only the processor debugger ).
I studied in the same group with a man who was just as fanatically addicted to electronics, the absolute master of the soldering iron, Cyril. Somehow it happened by itself that the point of joint application of our efforts was the reverse engineering of the payment system of St. Petersburg payphones. Well, you know, parents are far away, you need to call, there is no money, but there is free time and two bad heads.
')
At that time, St. Petersburg was engaged in payphones (and is now engaged, but for obvious reasons, not very successfully) by SPT - St. Petersburg Payphones. Quite modern by the standards of the devices were installed throughout the city. I did not find the model number on the move, they looked like this (the picture was also found not of the highest quality):
These payphones were received chip cards of the ISO-7816-2 standard with a capacity from 25 to 1000 units (one unit - a minute of local conversation or a few seconds of intercity). Having collected all the information on card types and protocols available at that time in FIDO and in the Internet in short supply, we set to work. Pretty soon we collected a reader that connects to the computer’s LPT port. A program has also been written that reads the contents of the maps. The card is a small amount of memory, one part of which contains information about the remaining units and can be changed (only downwards), the second part contains service information: manufacturer, serial number, something else.
Having accumulated a sufficient amount of knowledge about the exchange protocol of a payphone with a card and collecting a small collection of card dumps, we started to run the maximum program, that is, to create a card emulator that would behave like a regular card, but a range of units would be available to record any numbers . The PIC16F84a microcontroller was chosen as the brain of the emulator, its program was written in C in the Borland C 3.0 environment. I was engaged in the software part, that is, I wrote a program for the microcontroller and utilities for the computer, Cyril was the master of the microcontroller and the monster of the soldering iron.
The process of building and debugging the first version of the emulator was hell. In the iron plan, the first version was very unpretentious and was a card with milled native brains, from which there was a harness sticking out, on which hung a board with a controller and strapping. Of course, a square battery was bolted to the board with a blue one. Moreover, due to the lack of complete information, we did a lot at random (the protocol timings had to be selected by trial and error), so also imagine the verification process of the next firmware assembly: “well, we changed the number 10 to 12 here, let's go for a couple of kilometers in the frost to the nearest payphone, we will wait until there are curious citizens around, plug the device into the payphone, see the message “Error 8” for the hundredth time, quietly swear and go back. ” Now imagine our joy when the emulator partially earned a hundred and first time and the payphone showed the long-awaited “25 units”. This stage took us about six months.
After that, another half a year of improvement of the iron part followed, two intermediate versions of the emulator and countless firmware builds were made. At that time, the final version of iron seemed to me to be the height of engineering: the magician Kirill was able to get rid of external power (I also had to radically optimize the firmware for this, because previous versions did not have time to start, power was supplied too shortly before the start of data exchange) and also DIP enclosures on SOIC. As a result, the emulator looked exactly like a regular card, no beard of wires was sticking out of the payphone. The case of the microcontroller was hiding in a small thickening, filled with epoxy, in the place where the payphone card reader had a recess for the fingers. Unfortunately, there was nothing to photograph then, so the electronics masterpiece is lost for posterity.
Each time you turn on the emulator behaved like a pristine blank card of the nominal that it placed in the firmware. Here, for the first time, we encountered technical security measures incorporated into the program of payphones. The measures were, I must say, very weak. The dump card stitched into the emulator stopped working a couple of days after the start of use. During these couple of days I managed to reset the card several times (is it worth saying that all the time, since I received the first fully working version of the emulator, I used it to call home). I don’t know the exact details of the implementation, but it looked as though the center was analyzing traffic, entering the card number into a kind of blacklist, which was then sent to all payphones and stored locally there. Moreover, the delay in two or three days hinted that this is done manually.
The second measure of protection was that some code was stored in the non-rewritable part of the memory card, generated on the basis of the serial number and the original face value of the card (perhaps something else). The algorithm for the formation of this code has remained a mystery to us. This code did not allow us to achieve complete perfection and to generate fresh dumps on the fly in the microcontroller each time; we had to flash dumps from the actual used cards. Then we hoped that by collecting a sufficient number of memory dumps of cards, we could calculate the hashing algorithm. But, as I have already written, these hopes were not destined to come true.
In search of donors, we accidentally met the “Collector” (the cards were of very different designs, there were constantly various series dedicated to holidays and events, so there were even people collecting used cards). They just saw a guy at the tram stop with a pile of cards in their hands, they started talking, asked for a visit with the reader. So we got about a hundred of fresh card dumps. This also became the beginning of the end of the story, since the “Collector” turned out to be connected with the security service of the payphone company. He introduced us to a certain citizen who was supposedly ready to buy a miracle device for a hundred dollars rather big for those crisis times for students. We forgot about any conspiracy and, being flattered with easy money, met with the buyer, demonstrated to him the immaculate work of the emulator ... The technical part of this story ended with the phrase “let's go through the police”, after which a completely different, quite predictable story began, which I will tell very briefly without details.
So, we were caught, the capture of the century was shown on St. Petersburg TV, the Internet still keeps a couple of news about us . There was a trial, we received two years conditionally, which turned out to be enough to make me a purely positive IT person, which I advise everyone.
I will not hide names and details, because, firstly, it was a long time ago, and secondly, it completely logically ended itself and I don’t think that any of the participants in those events still treat them not as an instructive story from fighting youth. In addition, the technical details have long been outdated and hardly anyone will come in handy (and, in fact, neither the source nor the finished products have survived, for the reasons described below).
So, it was in 1997, when I was a second-year student at the St. Petersburg Shipwork (SPbSMTU). I came to Petersburg at the age of 21 consciously from the Kaliningrad region, where I had lived all my life before that. I already came up with a powerful IT background, because fanatically engaged in programming from about 13 years old (so that you can imagine the scale of fanaticism - I wrote two games and a graphic editor for the UKSC in octal machine codes, using only the processor debugger ).
I studied in the same group with a man who was just as fanatically addicted to electronics, the absolute master of the soldering iron, Cyril. Somehow it happened by itself that the point of joint application of our efforts was the reverse engineering of the payment system of St. Petersburg payphones. Well, you know, parents are far away, you need to call, there is no money, but there is free time and two bad heads.
')
At that time, St. Petersburg was engaged in payphones (and is now engaged, but for obvious reasons, not very successfully) by SPT - St. Petersburg Payphones. Quite modern by the standards of the devices were installed throughout the city. I did not find the model number on the move, they looked like this (the picture was also found not of the highest quality):
These payphones were received chip cards of the ISO-7816-2 standard with a capacity from 25 to 1000 units (one unit - a minute of local conversation or a few seconds of intercity). Having collected all the information on card types and protocols available at that time in FIDO and in the Internet in short supply, we set to work. Pretty soon we collected a reader that connects to the computer’s LPT port. A program has also been written that reads the contents of the maps. The card is a small amount of memory, one part of which contains information about the remaining units and can be changed (only downwards), the second part contains service information: manufacturer, serial number, something else.
Having accumulated a sufficient amount of knowledge about the exchange protocol of a payphone with a card and collecting a small collection of card dumps, we started to run the maximum program, that is, to create a card emulator that would behave like a regular card, but a range of units would be available to record any numbers . The PIC16F84a microcontroller was chosen as the brain of the emulator, its program was written in C in the Borland C 3.0 environment. I was engaged in the software part, that is, I wrote a program for the microcontroller and utilities for the computer, Cyril was the master of the microcontroller and the monster of the soldering iron.
The process of building and debugging the first version of the emulator was hell. In the iron plan, the first version was very unpretentious and was a card with milled native brains, from which there was a harness sticking out, on which hung a board with a controller and strapping. Of course, a square battery was bolted to the board with a blue one. Moreover, due to the lack of complete information, we did a lot at random (the protocol timings had to be selected by trial and error), so also imagine the verification process of the next firmware assembly: “well, we changed the number 10 to 12 here, let's go for a couple of kilometers in the frost to the nearest payphone, we will wait until there are curious citizens around, plug the device into the payphone, see the message “Error 8” for the hundredth time, quietly swear and go back. ” Now imagine our joy when the emulator partially earned a hundred and first time and the payphone showed the long-awaited “25 units”. This stage took us about six months.
After that, another half a year of improvement of the iron part followed, two intermediate versions of the emulator and countless firmware builds were made. At that time, the final version of iron seemed to me to be the height of engineering: the magician Kirill was able to get rid of external power (I also had to radically optimize the firmware for this, because previous versions did not have time to start, power was supplied too shortly before the start of data exchange) and also DIP enclosures on SOIC. As a result, the emulator looked exactly like a regular card, no beard of wires was sticking out of the payphone. The case of the microcontroller was hiding in a small thickening, filled with epoxy, in the place where the payphone card reader had a recess for the fingers. Unfortunately, there was nothing to photograph then, so the electronics masterpiece is lost for posterity.
Each time you turn on the emulator behaved like a pristine blank card of the nominal that it placed in the firmware. Here, for the first time, we encountered technical security measures incorporated into the program of payphones. The measures were, I must say, very weak. The dump card stitched into the emulator stopped working a couple of days after the start of use. During these couple of days I managed to reset the card several times (is it worth saying that all the time, since I received the first fully working version of the emulator, I used it to call home). I don’t know the exact details of the implementation, but it looked as though the center was analyzing traffic, entering the card number into a kind of blacklist, which was then sent to all payphones and stored locally there. Moreover, the delay in two or three days hinted that this is done manually.
The second measure of protection was that some code was stored in the non-rewritable part of the memory card, generated on the basis of the serial number and the original face value of the card (perhaps something else). The algorithm for the formation of this code has remained a mystery to us. This code did not allow us to achieve complete perfection and to generate fresh dumps on the fly in the microcontroller each time; we had to flash dumps from the actual used cards. Then we hoped that by collecting a sufficient number of memory dumps of cards, we could calculate the hashing algorithm. But, as I have already written, these hopes were not destined to come true.
In search of donors, we accidentally met the “Collector” (the cards were of very different designs, there were constantly various series dedicated to holidays and events, so there were even people collecting used cards). They just saw a guy at the tram stop with a pile of cards in their hands, they started talking, asked for a visit with the reader. So we got about a hundred of fresh card dumps. This also became the beginning of the end of the story, since the “Collector” turned out to be connected with the security service of the payphone company. He introduced us to a certain citizen who was supposedly ready to buy a miracle device for a hundred dollars rather big for those crisis times for students. We forgot about any conspiracy and, being flattered with easy money, met with the buyer, demonstrated to him the immaculate work of the emulator ... The technical part of this story ended with the phrase “let's go through the police”, after which a completely different, quite predictable story began, which I will tell very briefly without details.
So, we were caught, the capture of the century was shown on St. Petersburg TV, the Internet still keeps a couple of news about us . There was a trial, we received two years conditionally, which turned out to be enough to make me a purely positive IT person, which I advise everyone.
Source: https://habr.com/ru/post/191450/
All Articles