

	      Electronic Telephone Cards: How to make your own!
	      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I guess that Sweden is not the only country that employs the electronic phone
card system from Schlumberger Technologies. This article will explain a bit
about the cards they use, and how they work. In the end of this article you
will also find an UUEncoded file which contains sourcecodes for a PIC16C84
microcontroller program that completely emulate a Schlumberger Telephone card
and of course printed circuit board layouts + component list... But before
we begin talking seriously of this matter I must first make it completely
clear that whatever you use this information for, is entirely YOUR
responsibility, and I cannot be held liable for any problems that the use
of this information can cause for you or for anybody else. In other words:
I give this away FOR FREE, and I don't expect to get ANYTHING back in return!

The Original Telephone Card:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since I probably would have had a hard time writing a better article than the
one Stephane Bausson from France wrote a while ago, I will not attempt to give
a better explanation than that one; I will instead incorporate it in this
phile, but I do want to make it clear that the following part about the cards
technical specification was not written by me: Merely the parts in quotes are
things added by me... Instead I will concentrate on explaining how to build
your own telephone card emulator and how the security measures in the payphone
system created by Schlumberger Technologies work, and how to trick it...
But first, let's have a look at the technical specifications of the various
"smart memory card" systems used for the payphones.


The Program:
~~~~~~~~~~~~
Well, when I saw this phile about the cards the first time, about a year ago
I quickly realized that this system is very unsecure and really needs to be
hacked. So, now I present you with a piece of software for the PIC 16C84 RISC
microcontroller from Microchip that will take care of emulating the cards
used by Schlumberger and others. This system is to be found in Scandinavia
(Sweden, Norway and Finland), Spain, France and other countries. I do know
that France probably needs some small modifications for this to work, but I
see no reason to as why it shouldn't do so! For this to work, you need to
have access to a PROM burner which can handle the PIC 16C84, or you might
just build one yourself as I include some plans for that in the UUEncoded
block to be found at the end of this phile. First of all, you have to read
off the first 12 bytes of data from a valid card from the country you wish
your emulator to work in. This because I don't think it would be a good idea
to publish stolen card identities in Phrack. Then you simply enter those 12
bytes of data in the proper place in my program and compile it. That's it...
And since I happen to choose a version of the PIC with internal Data EEPROM,
that means that the first 12 locations of the Data EEPROM should contain the
card id bytes. As of today this code should work smooth and fine, but maybe
you'll need to modify it later on when Schlumberger gets tired of my hack.
But since the PIC is a very fast and powerful microcontroller it might be
quite hard for them to come up with a solution to this problem. Let's have
a look at the PIC Software! (Note that the current version of Microchip's
PICSTART 16B package is unable to program the DATA EEPROM array in the 16C84
so if you are going to use that one, use the other version of the source code
which you'll find in the UUEncoded part!).


The Security System:
~~~~~~~~~~~~~~~~~~~~
The security of the Schlumberger card system depends strongly on two things:
the metal detector in the card reader which senses if there is any metal on
the card where there shouldn't be any metal. Circuit traces on a home built
card is definitively made of metal. So, we have to figure out a way of
getting around this problem... Well, that isn't really too hard! They made
one really big mistake: If the metal detector is grounded, it doesn't work!!
If you look at the printout of my layouts for this card you'll find one big
area of the board that is rectangle shaped. In this area you should make a
big blob of solder that is between 2-3 millimetres high (approximately!).
When the card slides into the phone, the blob should be touching the metal
detector and since the blob is connected to ground the detector is also
being grounded. The fone also counts the number of times the metal detector
gets triggered by foreign objects in the card reader (Meaning that the
phone companys security staff can see if someone's attempting to use a fake
card that doesn't have this counter-measure on it!) and this is of course
included in the daily service report the fone sends to the central computer.

The second security lies in the cards first 12 bytes, it's not just what it
appears to be: a serial number, it's more than that. Part of the first byte is
a checksum of the number of 1's in the 11 bytes following it. Then byte 2 is
always $83, identifying the card as an electronic phonecard. Byte 3 and 4 is
the number of units on the card: The first nibble of byte 3 is always $1 and
then in the remaining three nibbles the number of units is stored in BCD code,
for example $11,$22 means 120 units (Two units is always fused at the factory
as a test, see the text by Stephane Bausson!) Then we have 4 bytes of card
serial number data, 2 bytes of card checksum (calculated with a 16 bit key
stored in the payfone ROM), 1 byte that is always $11, and then at last, byte
12 which is the country identifier.

The Parts Needed:
~~~~~~~~~~~~~~~~~
	01 * PIC16C84, 4 MHz version, Surface Mounted (SOIC-18 Package)
	01 * 4 MHz Ceramic Resonator, Surface Mounted
	02 * 22 pF Capacitors, Surface Mounted (Size 1206).
	01 * 0.8mm thick singlesided circuit board with P20 photoresist

The Construction:
~~~~~~~~~~~~~~~~~
Since this project is obviously not intended for the novice in electronics
I will not go into the basic details of soldering/etching circuit boards. If
you do not know much of this, ask a friend who does for help. If you want to
reach me for help, write to Phrack and ask them to forward the letter to me
as I wish to remain anonymous - This project will probably upset a lot of
phone companies and last but not least the guys at Schlumberger Tech.