30Apr 2012

Hacking a laundry machine in one day (SLE4442)

First of all, I have to say that I'm usually not the security auditing kind of guy.
However, when a friend asks you to have a look at his laundry machine.... well I can get curious :-)

Hacked card

Before starting this article, I first have to say that I won't publish all the information required to perform this manipulation, due to the obvious legal aspects of it.
However, I will explain in details the security of this particular laundry machine, without showing any picture that would help you know which one it is:

Laundry machine
Let's start. First step, understand what we are up against. How? Well, the laundry machine is in a quiet place, with practically nobody passing by... so let's open it.
Surprisingly (seems the manufacturer is not worried by people meddling with their products), only 2 screws are in your way to see what is inside the machine:

Inside the machine
In the machine, we see two main PCBs. One full of relays and power electronics and another one with only two connectors (shown above).
It seems obvious that the latter is in charge of the machine security: the top connector allows communication with the main board to launch the washing programs, the other one is where you connect your card socket:

Card reader
Luckily, the card socket has its part number visible, allowing us to find its pinout. Then it's time to use the multimeter for some checks.
That's how we discovered that only 8 of the 10 wires of the ribbon cables are actually used. 2 of them are connected to a switch detecting the card presence, the rest are connected to the C1-C3 C5-C7 smartcard pads:

smartcard pinout
Anyway, what is a smartcard? Well, there are several types of smartcards, all following the iso7816 standard.
However, not all smartcards follow all the 'subcategories' of this standard. Concretely, that means that one smartcard could only follow the iso7816-1 specs, which only defines the physical layout of the card.
For more details, I invite you to have a look at this document.

Back to the security PCB. Looking up the part numbers, we discover that the main microcontroller is based on a 8051 architecture. Therefore it is a fair assumption to assume that there won't be any cryptography involved.
So how to get more information about the card itself? One obvious choice, due to the quiet environment where the machine is, was to sniff the traffic.
One of my friends actually had a smartcard sniffing tool laying around:

However, this didn't work, as the C6 pad line was not connected between the card and socket contacts.
This was actually quite curious since the 2006 revision of the iso7816 standard removed the use of Vpp.
This did leave us with no other choice but to directly sniff the signals on the connector:

With a standard 2.54mm 8 pins header & socket, we managed to create a 'port extension':

Adapter in place
From there on, sniffing the traffic was very easy. Using a logic analyzer and the 'card detected' signal to trigger the acquisition, we got this when the machine was reading the card amount:

Logic analyzer
We can see that the machine will set Vcc and Vpp to 5 volts a little while after the card is inserted.
Let's have a look at the activity on the reset/clk/io lines:

Logic analyzer
This looked a lot like the I²C protocol...
Therefore, the 'maximum' standard the card can follow is the ISO7816-3. That means you may get the Answer To Reset (ATR) (description here).
Manually reading the ATR, we find the sequence 0xA2 0x13 0x10 0x91.
A quick search on google shows us that the chip in the smart card is likely to be the SLE4442 from Siemens. Another quick search allows us to find its datasheet....

Please note that this chip is supposed to be very used around the world. You'll find many web pages talking about it.
What we needed to do next was to create a parser that could interpret what was going on between the reader and the card, our logic analyzer program being able to export csv files.
1 hour of coding later, we could see what was going on when the machine reads the amount left on the card:

Sniff read
Random reads at some places... strange.
Let's run a machine and compare the two reads before and after having subtracted some money:

The 2 bytes data on the emplacements 0x2E 0x32 0x36 0x44 0x48 0x4A seems to be the amount left on the card.
Thinking a little bit, we find that 0x230 = 560 = 280 x 2 cents. However, for the 2.10chf amount case, I don't understand why the first byte is not equal to 1... weird.
Now that we've identified the memory emplacements, one could wonder how to change the values...

I'm not going to explain all the different attacks you could perform, but the very famous Strom Calson in his 2006 Defcon talk explains it all.
You'll have understood by now that this kind of hack is not new. So I will focus on doing it with new tools.
Anyway, on the SLE4442, you need to present a code to be able to change the contents of the memory:

Verification procedure
So logically, if the machine is changing the amount stored in your card, you should see it at some point:

pin sniffing
And bam, the card security is broken.

To perform a proof of concept, one could follow the very well written hackaday guide.

As I had a bus pirate at home, we followed the instructions.
Pinout (from smartcard to bus pirate pin):
5 volts -> 5 volts power supply
reset -> AUX
clock -> SCL
dataio -> SDA
Vpp -> 5 volts power supply
Ground -> Ground

From HaD:
The sle4442 has open collector outputs, and depends on pull-up resistors to hold the bus high. Instead of switching the data pin between ground and 5volts, it switches between ground and high-impedance states. High-impedance means that the chip exerts no state on the line, it lets it float, like a microcontroller input pin.
Each of the signal lines need to be pulled-up to 5volts with a 2K-10K resistor, the value isn’t particularly important. Without the pull-up resistor, we’ll never see anything but 0 (ground) on the bus because the sle4442 doesn’t exert a voltage of it’s own. A benefit of this technique is that the Bus Pirate, which only switches at 3.3volts, will talk to the sle4442 at a full 5volts, in compliance with the 3.5volt minimum voltage for a high level (datasheet, page 27, table 3.2.3:Vih).

Then we just send a couple of commands to the bus pirate in order to get the ATR and be able to communicate with the SLE4442:

1. HiZ
2. 1-WIRE
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)

Set speed:

1 ~5KHz
2 ~50KHz
3 ~100KHz
4 ~400KHz

Select output type:

1) Open drain (H=Hi-Z, L=GND)
2) Normal (H=3.3V, L=GND)


LSB set: LEAST sig bit first

Power supplies ON

READ: 0xA2
READ: 0x13
READ: 0x10
READ: 0x91

And from there it is quite simple to change the values stored in the card (PSC not written here) ;) :
{0x38 0x2e 0x2f}\ r:32 {0x38 0x32 0x2f}\ r:32 {0x38 0x36 0x2f}\ r:32 {0x38 0x44 0x2f}\ r:32 {0x38 0x48 0x2f}\ r:32 {0x38 0x4a 0x2f}\ r:32


1. On Monday, April 30 2012, 20:50 by Hacker Harry

nicely done :-)

2. On Monday, April 30 2012, 22:12 by Filipe YaBa Polido

Hi there,
You may also find this interesting:
or this:

3. On Monday, April 30 2012, 22:17 by limpkin

@Filipe YaBa Polido : Thanks! I actually know the guy of your second link ;)

4. On Monday, April 30 2012, 23:41 by Mikey Sklar

Nice analysis. I used to bypass the advanced payment system my school made up. It was based on reading the magnetic strip on our student ID cards. Beating that system was trivial. Crack open the wiring box where all the washers and dryers come into and short two wires and the machine would kick on. I used a bolt cutter and wire strippers to open up the box and get into each machine then a strait razor to get a 5V trigger which would start the machine. A little on the brute force side, but I suspect this is a universal for most laundry systems.

5. On Thursday, May 9 2013, 18:29 by Major Variola

Just FYI, you can perform TEA encryption on an 8051.

This post's comments feed

Add a comment

Comments can be formatted using a simple wiki syntax.

They posted on the same topic

Trackback URL : http://www.limpkin.fr/index.php?trackback/131