Electronic Telephone Cards: How to make your own!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I guess that Sweden is not the only country that employs the electronic phone
card system from Schlumberger Technologies. This article will explain a bit
about the cards they use, and how they work. In the end of this article you
will also find an UUEncoded file which contains sourcecodes for a PIC16C84
microcontroller program that completely emulate a Schlumberger Telephone card
and of course printed circuit board layouts + component list... But before
we begin talking seriously of this matter I must first make it completely
clear that whatever you use this information for, is entirely YOUR
responsibility, and I cannot be held liable for any problems that the use
of this information can cause for you or for anybody else. In other words:
I give this away FOR FREE, and I don't expect to get ANYTHING back in return!
The Original Telephone Card:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since I probably would have had a hard time writing a better article than the
one Stephane Bausson from France wrote a while ago, I will not attempt to give
a better explanation than that one; I will instead incorporate it in this
phile, but I do want to make it clear that the following part about the cards
technical specification was not written by me: Merely the parts in quotes are
things added by me... Instead I will concentrate on explaining how to build
your own telephone card emulator and how the security measures in the payphone
system created by Schlumberger Technologies work, and how to trick it...
But first, let's have a look at the technical specifications of the various
"smart memory card" systems used for the payphones.
<Start of text quoted from Stephane Bausson (sbausson@ensem.u-nancy.fr)>
------------------------------------------------------------------------------
===============================================================================
What you need to know about electronics telecards
===============================================================================
(C) 10-07-1993 / 03-1994
Version 1.06
Stephane BAUSSON
Email: sbausson@ensem.u-nancy.fr
Smail: 4, Rue de Grand; F-88630 CHERMISEY; France
Phone: (33)-29-06-09-89
-------------------------------------------------------------------------------
Any suggestions or comments about phonecards and smart-cards are welcome
-------------------------------------------------------------------------------
Content
---------
I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur:
I-1) Introduction:
I-2) SCHEMATICS of the chip:
I-3) PINOUT of the connector:
I-4) Main features:
I-5) TIME DIAGRAMS:
I-6) Memory MAP of cards from France and Monaco:
I-5) Memory MAP of cards from other countries:
II ) The cards from ODS: (German cards)
II-1) Introduction:
II-2) Pinout:
II-3) Main features:
II-4) Time Diagrams:
II-5) Memory Map:
II-6) Electrical features:
III) The Reader Schematic:
IV) The program:
-------------------------------------------------------------------------------
I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur: (French cards)
======================================================================
I-1) Introduction:
------------
You must not think that the electronics phone-cards are completly secret
things, and that you can not read the informations that are inside. It is quite
false, since in fact an electronic phonecard does not contain any secret
information like credit cards, and an electronic phonecard is nothing else that
an 256 bits EPROM, with serial output.
Besides do not think that you are going to refilled them when you will
have understood how they work, since for that you should reset the 256 bits of
the cards by erasing the whole card. But the chip is coated in UV opaqued resin
even if sometime you can see it as tranparent! Even if you were smart enough to
erase the 256 bits of the card you should program the manufactuer area, but
this is quite imposible since these first 96 bits are writing protected by a
lock-out fuse that is fused after the card programing in factory.
Neithertheless it can be very interesting to study how these cards work, to
see which kind of data are inside and how the data are maped inside or to see
how many units are left inside for exemple. Besides there are a great number of
applications of these cards when there are used (only for personal usage of
course) , since you can use them as key to open a door, or you can also use them as
key to secure a program, etc ....
These Telecards have been created in 1984 and at this time constructors
decided to build these cards in NMOS technology but now, they plan to change by
1994 all readers in the public to booths and use CMOS technology. Also they
plan to use EEPROM to secure the cards and to add many usefull infornations in,
and you will perhaps use phone cards to buy you bread or any thing else.
These cards are called Second Generation Telecards.
I-2) SCHEMATICS of the chip:
----------------------
.-------------------.
| |
--|> Clk |
| _ |
--| R/W |
| |
--| Reset |
| |
--| Fuse |
| |
--| Vpp |
| |
| |
'-. .-'
| |
.-------------------.
| Out |-- serial output
'-------------------'
I-3) PINOUT of the connector:
-------------------------
AFNOR CHIP ISO CHIP
---------- --------
-------------+------------- -------------+-------------
| 8 | 4 | | 1 | 5 |
| | | | | |
+-------\ | /-------+ +-------\ | /-------+
| 7 +----+----+ 3 | | 2 +----+ + 6 |
| | | | | | | |
+--------| |--------+ +--------| |--------+
| 6 | | 2 | | 3 | | 7 |
| + +----+ | | +----+----+ |
+-------/ | \-------+ +-------/ | \-------+
| 5 | 1 | | 4 | 8 |
| | | | | |
-------------+------------- -------------+-------------
NB: only the position of the chip is ISO
standardized and not the pinout
PINOUT: 1 : Vcc = 5V 5 : Gnd
------ 2 : R/W 6 : Vpp = 21V
3 : Clock 7 : I/O
4 : Reset 8 : Fuse
I-4) Main features:
---------------
- Synchronous protocol.
- N-MOS technology.
- 256x1 bit organisation.
- 96 written protected by a lock-out fuse.
- Low power 85mW in read mode.
- 21 V programming voltage.
- Access time: 500ns