To use the washing machines in my apartment complex you need to pay using a rechargeable contact card. I was curious to find out how it works.
It turns out it's an I²C EEPROM in a card. By recording the communication between the card and the machine I figured out where and how the credit value is stored.
Now I can read and write the value on cards using a Raspberry Pi or simple micro-controller, but also program my own cards to work with the machines.
How is the I²C EEPROM used:
- the I²C EEPROM uses address 0xA0/0x70
- the values are stored over 2 bytes in little endian (the first byte the the least significant)
- static (unchanged) values are stored at 0xB2-0xB3, 0x1E-0x1F, 0x94-0x95. they seem to encode the type of card
- other static (unchanged) values are stored at 0x14-0x17, 0x26-0x28, 0x06-0x0D
- a reader counter is stored at 0x1C. It is incremented every time the card is read. 0 is encoded as 0x39C7
- the value of the card is stored at 0x28. 0 is encoded as 0x51AF. 0x2A-0x32 are copies of this value with the first byte decremented by 4 each time, and the second byte incremented by 4 (probably for error checking)
The sources for the ID-1 proxy are available here. I will no provide the source for the Raspberry Pi nor the Arduino, since it would easily be used for fraud. The purpose was just to find out how it works, and in case the support for the machine or cards ended.