Magstripe reverse engineering using the Bus Pirate

I recently got a hold of a magstripe reader someone threw out, the problem was that I couldn’t find any info on the unit, opening it up I found a serial number that was in the range of other readers but no specifics.

The PCB was labeled which was useful but not really necessary as we’ll see later, from bits of info I got from other readers I had a rough idea what the labeled lines were:

CLS – Card Present
RDP – Data Line
RCP – Clock Line
5V – Voltage Supply
GND – Ground

I hooked all the lines up to the Bus Pirate to try and figure out the protocol, remember to ground the unused pins to prevent crosstalk from picking up fake signals. The logic analyzer software doesn’t turn on the power supply so I had to do this manually before starting the analyzer software. I set up a trigger on all lines and swiped a card through, was kinda surprised when it actually worked.

All the lines were high and pulled low when needed, the first was pulled low when the card was swiped and remained low until a set time after it was done, confirming with the PCB label this was the CLS or card present line.

The remaining two lines were obviously clock and data but which was which? looking at the dump one of the lines had many more transitions than the other so it had to be the clock line, the dump showed that the two lines always rose together so the data had to be read on the falling edge of the clock line.

None of the Bus Pirate modes including the raw modes seem to have a way to read a bit only when a line goes low so I haven’t read a card yet, I can’t simply do it on periodic intervals since the card can be swiped through the reader at any speed, too lazy to do some uC code so I’ll do it later.


Ian from Dangerous Prototypes helped me get this working with the Bus pirate SPI sniffer. I hooked up GND and VCC, the CS pin to the card present pin on the reader to only sniff when a card is swiped, the clock line to the RCP pin, RDP to MOSI and set it up as follows:

1. HiZ
2. 1-WIRE
4. I2C
5. SPI
10. LCD
(1) >5
Mode selected
Set speed:
1. 30KHz
2. 125KHz
3. 250KHz
4. 1MHz
(1) >4
Clock polarity:
1. Idle low *default
2. Idle high
(1) >2
Output clock edge:
1. Idle to active
2. Active to idle *default
(2) >2
Input sample phase:
1. Middle *default
2. End
(1) >2
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1) >1
Sniff when:
1. CS low
2. CS high
3. All traffic
(1) >1
SPI bus sniffer, any key exists

I’ll go through the trouble of decoding the data later 🙂


Parsing the data and putting it through Stripe Snoop gives me:


Not sure what most of the data means but I know it’s correct since the start and end sentinels are in place and it includes parts of my student ID (It’s a Student card)


I wrote some code to automate everything and did some follow up tests using it.


~ by s3c on 2010/02/19.

2 Responses to “Magstripe reverse engineering using the Bus Pirate”

  1. Could you share that piece of code to automate the reading/conversion? Thanks

  2. No problem, posted it on the Dangerousprototypes forum:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: