Magnetic card emulator

This is a project that developed more out of curiosity and a bit of mischief, but developed into a useful device.  Let’s start with what a magnetic swipe card is used for.  In the united states we use magstripe cards for student IDs, credit cards, drivers’ licences, pretty much anything that requires us to quickly and easily authenticate ourselves.  I understand that the rest of the world has moved on to RFID, QR codes on phone screens, NFC, and all other sorts of authentication methods, but this is the united states, and we’re big.  I don’t get how that means we’re perpetually behind the technology curve, but ok.  I have heard arguments that “of course our internet is crappy and expensive compared to the netherlands and south korea, we had it first, it takes a lot of money to upgrade these systems”.  Shouldn’t profit scale linearly with population? actually if you count start up cost, a larger population should amortize the start up cost to be lower per capita so the ISPs and banks in this country make even more per person than in smaller countries.  I guess having one or two major companies doesn’t really breed steep competition (hi google, keep it up!).  This card standard has been around a while, it uses three distinct stripes that can hold data in well defined ways as seen in the ISO standards mentioned here.

These cards communicate by having opposingly magnetized areas in the stripe that induce a current in an electromagnet when they change polarity.  One way to simulate one of these cards is to simply create a chunk of magnetized card that has the same transitions, but the easier and more software definable way is to use an electromagnet to simulate these transitions.  Now, having 3 distinct electromagnets makes it hard to simulate a multi track card as you have to feed different magnetic fields to each electromagnet.  This would make simulating a drivers’ licence difficult because they use multiple tracks to store data.  Now, if you only need to simulate one track then you can do what I did, which is to create a big honking electromagnet and spam all electromagnets simultaneously.  This method is only useful for the least secure and cheapest of all magstripe cards. Guess which ones My school uses?

The seed idea for this came from people recording and playing back these signals from an ipod.  This method looked cool, but I really wanted to be able to define the card ID on the fly.  This brought me to the arduino card emulator, but that code was a bit off from what I needed it to do.  After a friend re-worked the code we have this.  The place with all the zeroes is where you put the card number as read by your friendly track 2 ps/2 keyboard pass through card reader.  Oh,you don’t have one? check out this sourceforge project.  This emulator only uses an h-bridge, an arduino, a coil of wire (I unwound a transformer for some), and a sheet of metal.  The metal I chose is a small pile of sheets from the transformer glued/taped together.  I used that metal because I knew it wouldn’t hold a magnetic field and would transmit the field change fairly well.

I suppose this is a fairly short post, mainly because it’s a fairly straightforward project.  The arduino pro mini used in this version has a power LED, it dims as the h-bridge draws current from the batteries and browns them out.  This unintended feature is nice to see it actually “swiping” the card.

The non-malicious use of this device involved the fact that my school gives us ID cards that deteriorate at a surprising rate and charges ~$10-$30 for a replacement, since they only use track 2, I use this.

UPDATE: I have been asked for specifics, I used a 5V arduino pro mini and fed the ~6v directly into the VCC pin of the pro mini.  Taking a look at the schematic on sparkfun you can see that the RAW pin is the input for raw voltage to be regulated down to you VCC voltage, I’m running a bit higher than the arduino is spec’d for, but with some old alkaline batteries you usually don’t get over 5.5v (which is the top end of the spec for the 328).  I assume you can use the 3.3v one, although I haven’t tested the code to make sure the timings still work right.  If you are in doubt you should check the integrity of your emulated card by making sure it shows up properly in the same ps/2 pass through reader you used to get the number in the first place. I? have no specifics on the coil size, but I think I used about a meter or two of wire (I could be wrong).  If you really want to be specific you can measure the resistance of the coil and the supply voltage and use V=IR to check your current draw and decide whether or not it’s too much for your batteries.

BOM (bill of materials):

arduino pro min (5v 16mhz knockoff from ebay)

momentary button

L293D (or SN754410)

magnet wire (salvaged from a transformer)

sheet(s) of metal (salvaged from a transformer)

wire

electrical tape

hot glue

Schematic:

I would refer you to the datasheet of the H-bridge for further information, but if you still don’t understand after reading that I can probably help.

Advertisements

Tags: , , , ,

11 Responses to “Magnetic card emulator”

  1. Rayani Says:

    hi, nice work
    So can u post schematic or layout showing how you connect H-bridge (which one), button and wires to arduino please…
    And what version of arduino pro mini you use 3.3v or 5v.. Does it can work with a 3.3v ?
    Many tks for your reply.

    • abzman2000 Says:

      I’ll throw up a BOM and a quick drawn schematic because I’m a bit busy right now to break out eagle. I used a 5v version, but I think a 3.3v one would work. That would just mean you’re operating the H-bridge at 3.3v, so you might have to pick a different one than I did.

  2. Stack Says:

    Hello, can you list components you use and explain how do you hook up them to arduino pro mini please.
    Is the pro mini 3v or 5v?
    Thank you.

    • abzman2000 Says:

      I’ll throw up a BOM and a quick drawn schematic because I’m a bit busy right now to break out eagle. I used a 5v version, but I think a 3.3v one would work.

  3. grande Says:

    If you do not use an h bridge can you put the pins from coil directly to arduino and use the existing ino file without modification?

    • abzman2000 Says:

      I believe so, I haven’t tried that but I think a friend did that and it worked fine. (If you use higher voltage on the h-bridge you can actually make it strong enough to not need to swipe some readers, just hold it nearby)

      • grande Says:

        Thanks for the fast response
        Do you think a 5v1a usb powerbank or a 9v battery is a better option for power? The powerbank is around 2kmah and 9v 400-600mah but for short burst used for this project i think the 9v is a good option. Whats your take? Also wondering about using an audio booster inline with the coil like they do on the ipod version. Any idea what gauge magnet wire you used. Im thinking of going with 30 to 36awg

      • abzman2000 Says:

        That seems a bit thin, I think I used 26-28. The higher voltage will give you more power (more likely to work), if the 5v works I’d use that since rechargeable is nice. The booster is basically an h-bridge, it amplifies the signal so it is more likely to work. I should also mention, powering the arduino without an h-bridge gets no benefit from a 9v because the board steps it down to 5v and the arduino signals are 5v.

  4. grande Says:

    Ok i see your using powerdip 12+2+2 at first i was confused(thinking motor driver). I just skimmed over pics before. Im on a cellular. So it seems to be the same audio amp idea i had. I will find a calculator for wiring awg. Would it be better to put the momentary button somewhere else? How long does it take the arduino to boot and run that code? And is it safe for its flash memory? Now change the sketch and try rfid spoofing. I think its same priniple hardware when emulating

    • abzman2000 Says:

      The boot time is about 1 second, and it just loops continuously, you could throw in some loops to step through different patterns of IDs or lists if you wanted to brute force a lock. You aren’t writing to the flash/eeprom so it doesn’t burn out and the magnetic field really won’t hurt it either. RFID is sorta the same, but different in execution. It is triggered by the reader and data is sent by changing the inductive load on the transmitter (like shorting the terminals on the secondary of a shitty air-gap transformer and looking at the current draw by the primary and signaling that way).

  5. Wiegand keypad | Evan's Techie-Blog Says:

    […] natively, or they do inside between some controller chips.  In order to keep up with the changing security concerns facilities went to rfid cards, but due to rampant and perpetual cheapness they kept the same […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: