Read Any Magnetic Strip Card With a Square Reader and an Android Device

by sshipman0 in Circuits > Software

218870 Views, 106 Favorites, 0 Comments

Read Any Magnetic Strip Card With a Square Reader and an Android Device

pile_of_cards.jpg
The Square credit card reading device is basically just a magnetic read head, resistor, and microphone connection.  By implementing an algorithm to decode the standardized audio encoding, it's possible to read arbitrary magnetic cards, not just credit cards.  Skip to the end to find a link to my completed app.

Understand the Format

AnnotatedWaveform.png
The encoding for magnetic stripe data follows a common standard.  The magnetic stripe consists of 3 physically separated "tracks". Track 1 is closest to the bottom of the card, and track 3 is the highest. Square's reader is positioned to read track 2. Track 2 is the most commonly used track, but most credit cards also use track 1. Track 2 includes card numbers and expiration dates. Track 1 includes that plus names. There may be other data too, depending on the particular card. These tracks are specced to be .11 inches wide, so to read track 1 with Square's reader, we just need to reposition the stripe so that track 1 is lined up with the read head.

Data in each track is encoded via magnetic domain flipping. Long story short: The series of domain flips encodes a waveform, that waveform is interpreted as binary. A binary 0 in this encoding is some arbitrary frequency. A 1 is twice that frequency.

The data starts with a set of leading zeros to establish the base frequency.  After a variable number of zeros, the start sentinel appears.  For track 2, the start sentinel is ";".  Each character is encoded as a integer with the least significant bits first.  For track 2, each character consists of 4 data bits and 1 parity bit.  The parity bit is set for each character so that the number of 1s is odd.  If you add 48  (the ASCII encoding for "0") to the integer value for each character, you get the ASCII character to display.  Other than the digits "0" through "9", track 2 can also encode some other characters, including ";" (start sentinel), "=" (field separator), and "?" (end sentinel). ":", "<", and ">" are not used much in practice.

Make a Shim to Read Track 1

shim.jpg
twistyshim.jpg
Track 1 of a magnetic card is .11inches closer to the edge of the card than track 2.  Since the Square reader is set up to read track 2, if we stick something in the reader to raise the card by .11 inches, the read head will be aligned with track 1 rather than track 2.

You can create a shim by cutting a .11 inch strip from another card.  I have also found that the twist ties from cheap garbage bags are just about right too.

Record Some Audio

As far as your Android phone is concerned, the Square reader is just a microphone.  So to get data from a card, we need to record audio.  Refer to other Android documentation (such as this tutorial: http://eurodev.blogspot.com/2009/09/raw-audio-manipulation-in-android.html) for detailed instructions, or use RhombusLib (see links at the end).

Here's some java code to start recording audio in an Android app:

AudioRecord audioRecord = new AudioRecord(MediaRecorder.AudioSource.MIC,
       frequency, channelConfiguration,
       audioEncoding, bufferSize);
  audioRecord.startRecording();

While recording, we need to continually read data from the recorder and place it into a buffer.

// Create a DataOutputStream to write the audio data
     ByteArrayOutputStream os = new ByteArrayOutputStream();
     BufferedOutputStream bos = new BufferedOutputStream(os);
     DataOutputStream dos = new DataOutputStream(bos);
 
     short bufferVal;
     short[] buffer = new short[bufferSize];

     while(recording){
       bufferReadResult = audioRecord.read(buffer, 0, bufferSize);
       for (int i = 0; i < bufferReadResult; i++){
        bufferVal = buffer[i];
        dos.writeShort(buffer[i]);
       }
     }
     dos.close();
     byte[] audioBytes = os.toByteArray();


The above code is extracted and simplified from RhombusLib.  After recording, you'll have an array of bytes representing the samples from the microphone, ready to be analyzed.

Downloads

Decode the Audio

So, now we've got a bunch of audio on our device. How do we decode it? I based my code on an Android tutorial which shows how to record data and then play it back. In my case, I made sure to save that audio as 16bit PCM encoded. I sampled at 44100hz. On Android (and elsewhere, I suppose) 16bit PCM data means that each sample is a signed 16bit value. Since we only care about the frequency, we only need to care about how much time there is between "zero-crossings". A zero-crossing is when the signal goes from postive to negative or vice-versa. A 0 bit will be represented by the space between 2 crossings, and a 1 will have an extra crossing in approximately the same time period.
Card data in each track starts off with some (variable) number of 0s, to establish the base frequency. What I did was listen for the first sample above a certain "quiet" threshold, then count the number of samples between zero-crossings. That number becomes the base value for a 0. Since these cards are hand-swiped, the actual frequencies will change somewhat from the start of the scan to the end. So, I made a simple method which determines if the number of samples since the last zero-crossing is closer to the base frequency or twice the base frequency (half the base number of samples). It then adjusts the expected base frequency accordingly. This works well, so long as the changes between any two logical bits are fairly small. And they almost certainly will be.

To detect a zero-crossing, we need to look at the sign of each sample and compare it to the sign of the previous sample.  If they differ (one positive, one negative) then the signal crossed 0 between those samples.

The basic algorithm is to iterate through the byte array, extracting samples.  Count the number of samples between zero-crossings, and compare the count to the expected count for a 0 or 1.

Okay, after some hand-waving, we now have a binary sequence of data, which we want to turn back into ASCII. The most common encoding (and the only one I wrote a handler for) encodes each character as some number of bits, plus one parity bit. In the case of track 2, that's 4 bits for the character, and 1 for parity, making 5 bit groups. The bits are read from least significant to most, with the parity bit last. The parity bit is set to make the number of 1s in the group odd. In my implementation, I just disregard the parity bit, but it would help determine whether the read was good or not. In track 1, it's 6 bits for the character, plus the parity.
The character set of the tracks differ too, but both are subsets of ASCII with some offset. In the case of track 2, which only encodes some symbols and digits, the character set starts at 48, which is the ASCII code for "0". So if we get 0,0,0,0,1 as our character, we turn that into 0, add 48, and get 48. Similarly, 1,0,0,0,0 is 1. 1+48 = 49 = ASCII "1".
For track 1, the character set starts with " " (space) which is ASCII 32. So we add 32 to the decoded numeric value and get our ASCII character. After that, we have the data, so all that remains is hooking up the UI glue.

Wrapping It Up, Some Resources

Here are some resources that you might find useful.
My original blog post about this project: http://cosmodro.me/blog/2011/mar/25/rhombus-square-iskewedi/

A Phrack article explaining magnetic stripe encoding: http://stripesnoop.sourceforge.net/devel/phrack37.txt  

My open-source RhombusLib library: https://github.com/sshipman/RhombusLib 

The already-implemented Rhombus app which puts it all together: https://play.google.com/store/apps/details?id=me.cosmodro.app.rhombus  

Unfortunately, the new Square readers which include encryption do not provide the raw data necessary to decode in this manner.  It should be possible to construct your own reader using a magnetic read head, resistor, and TRRS headphone jack.  But that's another project.
Some Android phones have noisier audio recording hardware than others.  RhombusLib does not work on all devices right now, though I am working on improving the error correction.