3

I imagine we've all seen those parking systems where, to enter the parking lot, you need to get, from a dispenser, a card which has a magstripe on the back, and then, when you leave, you feed it into another box which calculates what you owe. Some systems also support passes, where, in lieu of inserting money at the exit kiosk, you feed it your pass (which looks just like the other magstriped cards) and you get your pass back and are allowed to exit.

Out of boredom and hacker curiosity, I'm wondering what the format of the data on the magstripes is. They're not as wide as credit-card stripes. Because these cards are proprietary, they don't have to conform to any standard, so I'd be starting from square-one.

Assuming that I have access to an oscilloscope and could obtain a magstripe reader:

  • How would I even figure out how many tracks the stripe has? I imagine that I can keep swiping the card, offsetting the stripe from the read-head a little differently each time, looking for "twin" signals when the read-head is straddling two tracks. But what would those twin signals look like on a scope?
  • Are there any common encoding techniques used on magstripes (kind of akin to the way clock bits are/were kinda folded into the data on floppy disks with MFM)? Or is it standard to have a dedicated clock track? Or would there not need to be a clock track since the kiosk is in total control of how fast the stripe is swiped over the read-head?
  • Any tips of how to construct an adjustable reader? All of the readers I've seen for sale seem designed for credit-card form factors. Are there generic read-heads I could find, somewhere?
Jemenake
  • 261
  • 3
  • 8
  • No clue if this is even possible or a stupid idea, but what about iron fillings? If you sprinkle them on a mag-strip, will they show you where the tracks are? – dext0rb Mar 18 '14 at 19:55
  • Good idea -- something tells me the magnetic field may be too low though. I have heard of a metro system being exploited whereby all-day paper farecards were purchased and the tracks were split multiple times, effectively generating multiple all-day farecards for the price of one. – HL-SDK Mar 18 '14 at 19:56
  • [Here](https://www.sparkfun.com/products/11096) is a fairly inexpensive card reader I have used. Instead of disassembling it to get to the heads, if the tracks don't line up, and you have enough of your cards, you could cut a bit off the top of the card off with a paper cutter, and continue until a track matches up with a head. Then continue till you have read all the tracks. – tcrosley Mar 18 '14 at 20:16

3 Answers3

6

Many years ago in college I was curious to see if I could hack the meal cards we were issued. These were plastic like credit cards with a mag stripe. You swiped them thru a reader instead of paying cash in the cafeteria.

After finding the right formula, it turned out to be surprisingly easy to see the magnetic bits and figure out the encoding. To see the bits, I filed off a bit of the ferrite rod antenna of a old dead radio. The filings clumped at the magnetic transitions. This was made easier by suspending the filings in a soap solution. The liquid allowed the filings to move around more freely, and the soap kept the liquid from balling up into individual drops.

This was over 30 years ago, but even at the time I was suprised by the low data density. It turned out the whole card only held something like 36 bits. If I remember right, it had two tracks, one clock and on data. Each group of 4 bits represented a decimal number, and the last number was used as a checksum. Yes, it really was that primitive.

36 bits spread out over maybe 2 inches were actually quite easy to see with the naked eye. We could decode someone's card in a minute or so. However, attempts to make our own cards failed. The ferrite filings only show you magnetic transistions, but not polartiy. I had a two-track tape head that I rigged up to get reasonable voltage changes as I manually moved it accross a stripe, but with only a analog scope and nothing like a microcontroller to capture the information, I couldn't really see enough details of the signal to duplicate the magnetic pattern properly. Nowadays with digital oscilloscopes, microcontrollers, and logic analyzers, that would be much easier to do. And yes, I had to walk to class barefoot in the snow uphill both ways too.

Olin Lathrop
  • 310,974
  • 36
  • 428
  • 915
  • 1
    Of course now you can get card writers too. Check out the signal analysis software about [a third of the way down this page](http://www.makstripe.com/magneticstripecardreaderwriter.php3). Betcha wished you had that 30 years ago (of course you probably wouldn't have been able to afford it.) – tcrosley Mar 18 '14 at 23:03
0

First thing you can try is applying iron filings to the card to find out how many tracks, where they are, and if the filings are small enough you can see the encoded positions.

Image of magnetic stripe with iron filings sticking to two tracks, with enough resolution to show spaces and marks on tracks

Starting with this alone you might be able to get enough information to decode the tracks.

Since there's no clock track, clock is typically encoded in the signal, and often magnetic cards use differential manchester encoding. It would be strange if your card didn't, but that's certainly possible. If it has a clock track, it will be very obvious due to its regularity.

Beyond that, you can expect that information printed on the card will match information encoded on the track. PArking garage tickets, for instance, will have the parking garage ID, date, time, entrance ID, and a few other pieces of information. Collecting several of these cards may be necessary to figure out what information is where, and how it's encoded. Tracks don't typically hold a lot of information, so it may be a very dense encoding, even if it's not encrypted.

Adam Davis
  • 20,339
  • 7
  • 59
  • 95
  • 1
    You can get sprays specifically designed for this, e.g. [Q View](http://www.q-card.com/products/magnetic-developers.asp). They are called "mag stripe developers". From experience the results are good enough to read off binary values accurately. – David Mar 18 '14 at 21:13
0

Another trick besides putting ferrite or steel particles on the strip is to cover them later with a clear scotch tape, press the tape a bit, and then remove it from the card and stick it to a sheet of white paper - all the information becomes way more visible. No soap needed. If the particles are small (light) enough you can just pour them on the strip and then shake the card to the sides to let them set up. Then you can set the card vertically to let the excess of the powder fall off. Then proceed with the scotch tape procedure that I mentioned. With this procedure, you can even make an "archive" of the states of data and see what changes when you use the card.

Mat
  • 1