The rise and fall of a novice phreaker
For a long time I was going to write something like that on Habr, I had ideas for all kinds of articles on very clever topics. But instead, I will now describe one autobiographical episode, which I am very proud of in technical terms, but of which I insanely regret moral.
I will not hide names and details, because, firstly, it was a long time ago, and secondly, it ended logically for myself and I don’t think that any of the participants in those events still treat them as an instructive story from fighting youth. In addition, the technical details are outdated a long time ago and are unlikely to be useful to anyone (and, in fact, neither source nor finished products have been preserved, for the reasons described below).
So, it was in 1997, when I was a second-year student in St. Petersburg "Ship" (SPbGMTU). I had already come to Petersburg, at the age of 21, conscious from the Kaliningrad Region, where I had lived all my life before that. I came in a lot with a powerful IT background, because I have been fanatically programming since about 13 years old (so that you could imagine the scale of fanaticism - I wrote two games and a graphic editor for the UKSC right in octal machine codes, using only a processor debugger ).
I studied in the same group as a man who was just as fanatically addicted to electronics, the absolute master of the soldering iron, Cyril. Somehow it happened by itself that the point of joint application of our efforts was the reverse engineering of the payment system of St. Petersburg payphones. Well, you understand, parents are far away, you need to call, there is no money, but there is free time and two bad heads.
At that time, in St. Petersburg, payphone (and now, but for obvious reasons, not very successfully) was engaged in the company SPT - St. Petersburg Payphones. Across the city, fairly modern devices by those standards were installed. I didn’t find the model number on the go, they looked like this (the picture was also not of the highest quality): We
accepted these payphones of ISO-7816-2 standard chip cardscapacity from 25 to 1000 units (one unit - a minute of local conversation or a few seconds of long distance). Having collected all the information on the types and protocols of cards available at that time in FIDO and on the scarce Internet, we set to work. Pretty soon, we assembled a reader connecting to the computer’s LPT port. A program was also written that reads the contents of maps. The card is a small memory, one part of which contains information about the remaining units and can be changed (only in the direction of reduction), the second part contains service information: manufacturer, serial number, something else.
Having accumulated a sufficient amount of knowledge about the protocol for exchanging a payphone with a card and collecting a small collection of card dumps, we started to implement the maximum program, that is, to create a card emulator that would behave like a regular card, but the unit area would be accessible for recording any numbers . The PIC16F84a microcontroller was chosen as the emulator brain ; its program was written in C in the environment of Borland C 3.0. I was engaged in the software part, that is, I wrote a program for the microcontroller and utilities for the computer, Cyril was the master of the microcontroller and the monster of the soldering iron.
The process of building and debugging the first version of the emulator was a hell. In the iron plan, the first version was very ugly and was a card with milled native brains, from which a wiring harness protruded, on which a board with a controller and harness hung. Of course, a square battery was screwed onto the blue board, of course. Moreover, due to the lack of complete information, we did a lot of things at random (protocol timings had to be selected using trial and error), just imagine the process of checking the next firmware assembly: “so, we changed the number 10 to 12 here, let's go a couple of kilometers in the frost to the nearest payphone, wait until there are curious citizens around, plug the device into the payphone, see the inscription “Error 8” for the hundredth time, quietly swear and go back. ” Now imagine our joy when the emulator partially worked for the hundredth time and the payphone showed the long-awaited “25 units”. This stage took us about six months.
After this, another six months were continued to improve the iron part, two intermediate versions of the emulator and countless firmware assemblies were made. The final version of iron then seemed to me just the height of engineering: the wizard Cyril was able to get rid of external power (I also had to radically optimize the firmware for this, because previous versions did not have time to start, the power was supplied too shortly before the data exchange began) and also switched from DIP Enclosures on SOIC. As a result, the emulator looked exactly like a regular card, no beard of wires was sticking out of the payphone. The microcontroller case was hidden in a small thickening, covered with epoxy, in the place where the payphone card reader had a recess for the fingers. Unfortunately, there was nothing to photograph then, so the masterpiece of electronics is lost for posterity.
Each time the emulator was turned on, it behaved like a virgin-clean card of the face value that was placed in it during firmware. Here, for the first time, we were faced with technical safety measures laid down in the payphone program. The measures were, it must be said, very weak. The dump card stitched into the emulator stopped working a couple of days after the start of use. During these couple of days I managed to reset the card several times (is it worth saying that all the time, since receiving the first fully working version of the emulator, I used it to make calls home). I don’t know the exact implementation details, but it looked like the center was analyzing traffic, entering the card number in a black list, which was then sent to all pay phones and stored there locally. Moreover, a delay of two to three days hinted that this is done manually.
The second protection measure was that in the non-rewritable part of the memory of the card a certain code was stored, generated on the basis of the serial number and the original face value of the card (possibly something else). The algorithm for generating this code has remained a mystery to us. This code did not allow us to achieve full perfection and generate fresh dumps every time right on the fly in the microcontroller, we had to flash dumps from the real cards used. Then we hoped that by collecting enough dumps of memory cards, we can calculate the hashing algorithm. But, as I already wrote, these hopes did not come true.
In search of donors, we accidentally met the “Collector” (the cards were of very different designs, different series were constantly issued to coincide with the holidays and events, so there were even people collecting used cards). We just saw a guy at a tram stop with a stack of cards in their hands, talked, asked for a visit with a reader. So we got about a hundred fresh card dumps. This was the beginning of the end of the story, because the “Collector” turned out to be connected with the security service of the payphone company. He introduced us to a certain citizen who was supposedly ready to purchase a miracle device for a hundred dollars, which were rather big in those times of crisis. We forgot about any conspiracy and, flattered by easy money, met with the buyer,
So, we were caught, the capture of the century was shown on St. Petersburg TV, the Internet still stores a couple of news about us . There was a trial, we got two years in prison, which turned out to be enough to permanently make me a purely positive IT specialist, which I advise everyone.
I will not hide names and details, because, firstly, it was a long time ago, and secondly, it ended logically for myself and I don’t think that any of the participants in those events still treat them as an instructive story from fighting youth. In addition, the technical details are outdated a long time ago and are unlikely to be useful to anyone (and, in fact, neither source nor finished products have been preserved, for the reasons described below).
So, it was in 1997, when I was a second-year student in St. Petersburg "Ship" (SPbGMTU). I had already come to Petersburg, at the age of 21, conscious from the Kaliningrad Region, where I had lived all my life before that. I came in a lot with a powerful IT background, because I have been fanatically programming since about 13 years old (so that you could imagine the scale of fanaticism - I wrote two games and a graphic editor for the UKSC right in octal machine codes, using only a processor debugger ).
I studied in the same group as a man who was just as fanatically addicted to electronics, the absolute master of the soldering iron, Cyril. Somehow it happened by itself that the point of joint application of our efforts was the reverse engineering of the payment system of St. Petersburg payphones. Well, you understand, parents are far away, you need to call, there is no money, but there is free time and two bad heads.
At that time, in St. Petersburg, payphone (and now, but for obvious reasons, not very successfully) was engaged in the company SPT - St. Petersburg Payphones. Across the city, fairly modern devices by those standards were installed. I didn’t find the model number on the go, they looked like this (the picture was also not of the highest quality): We
accepted these payphones of ISO-7816-2 standard chip cardscapacity from 25 to 1000 units (one unit - a minute of local conversation or a few seconds of long distance). Having collected all the information on the types and protocols of cards available at that time in FIDO and on the scarce Internet, we set to work. Pretty soon, we assembled a reader connecting to the computer’s LPT port. A program was also written that reads the contents of maps. The card is a small memory, one part of which contains information about the remaining units and can be changed (only in the direction of reduction), the second part contains service information: manufacturer, serial number, something else.
Having accumulated a sufficient amount of knowledge about the protocol for exchanging a payphone with a card and collecting a small collection of card dumps, we started to implement the maximum program, that is, to create a card emulator that would behave like a regular card, but the unit area would be accessible for recording any numbers . The PIC16F84a microcontroller was chosen as the emulator brain ; its program was written in C in the environment of Borland C 3.0. I was engaged in the software part, that is, I wrote a program for the microcontroller and utilities for the computer, Cyril was the master of the microcontroller and the monster of the soldering iron.
The process of building and debugging the first version of the emulator was a hell. In the iron plan, the first version was very ugly and was a card with milled native brains, from which a wiring harness protruded, on which a board with a controller and harness hung. Of course, a square battery was screwed onto the blue board, of course. Moreover, due to the lack of complete information, we did a lot of things at random (protocol timings had to be selected using trial and error), just imagine the process of checking the next firmware assembly: “so, we changed the number 10 to 12 here, let's go a couple of kilometers in the frost to the nearest payphone, wait until there are curious citizens around, plug the device into the payphone, see the inscription “Error 8” for the hundredth time, quietly swear and go back. ” Now imagine our joy when the emulator partially worked for the hundredth time and the payphone showed the long-awaited “25 units”. This stage took us about six months.
After this, another six months were continued to improve the iron part, two intermediate versions of the emulator and countless firmware assemblies were made. The final version of iron then seemed to me just the height of engineering: the wizard Cyril was able to get rid of external power (I also had to radically optimize the firmware for this, because previous versions did not have time to start, the power was supplied too shortly before the data exchange began) and also switched from DIP Enclosures on SOIC. As a result, the emulator looked exactly like a regular card, no beard of wires was sticking out of the payphone. The microcontroller case was hidden in a small thickening, covered with epoxy, in the place where the payphone card reader had a recess for the fingers. Unfortunately, there was nothing to photograph then, so the masterpiece of electronics is lost for posterity.
Each time the emulator was turned on, it behaved like a virgin-clean card of the face value that was placed in it during firmware. Here, for the first time, we were faced with technical safety measures laid down in the payphone program. The measures were, it must be said, very weak. The dump card stitched into the emulator stopped working a couple of days after the start of use. During these couple of days I managed to reset the card several times (is it worth saying that all the time, since receiving the first fully working version of the emulator, I used it to make calls home). I don’t know the exact implementation details, but it looked like the center was analyzing traffic, entering the card number in a black list, which was then sent to all pay phones and stored there locally. Moreover, a delay of two to three days hinted that this is done manually.
The second protection measure was that in the non-rewritable part of the memory of the card a certain code was stored, generated on the basis of the serial number and the original face value of the card (possibly something else). The algorithm for generating this code has remained a mystery to us. This code did not allow us to achieve full perfection and generate fresh dumps every time right on the fly in the microcontroller, we had to flash dumps from the real cards used. Then we hoped that by collecting enough dumps of memory cards, we can calculate the hashing algorithm. But, as I already wrote, these hopes did not come true.
In search of donors, we accidentally met the “Collector” (the cards were of very different designs, different series were constantly issued to coincide with the holidays and events, so there were even people collecting used cards). We just saw a guy at a tram stop with a stack of cards in their hands, talked, asked for a visit with a reader. So we got about a hundred fresh card dumps. This was the beginning of the end of the story, because the “Collector” turned out to be connected with the security service of the payphone company. He introduced us to a certain citizen who was supposedly ready to purchase a miracle device for a hundred dollars, which were rather big in those times of crisis. We forgot about any conspiracy and, flattered by easy money, met with the buyer,
So, we were caught, the capture of the century was shown on St. Petersburg TV, the Internet still stores a couple of news about us . There was a trial, we got two years in prison, which turned out to be enough to permanently make me a purely positive IT specialist, which I advise everyone.