So if your company doesn’t include coffee in your contract, well, I’ll show you how to get it for free using a 90’s trick.
Addiction
Another day, another dozen coffees, another hacking journey.
I was chilling in the relax area of the company I work for, but that was not a common coffee break. My eyes stared at the coffee vending machine at some point in a different way. I used to buy coffee by scanning the QR code with the vendor app to pay with credit card but the vending machine allows also to insert coins and a proprietary pen on which you can charge money. I asked to myself: “Why is that pen still adopted?”. In fact I saw a lot of employee using it, probably the boomers are uncomfy with the app?
Anyway that pen didn’t feel so secure to me and here the journey started.
The “Bible” and those legendary guys
I was sure, someone else had to have already hacked that thing, In a few step, hopping forum by forum I came across a real cyberpunk stuff.
It’s the year 2001, the web is a bunch of gif and various unknown forums. Some crazy anonymous electronic students release a document on how they reverse engineered the coffee pen, they called it the “Bible”.
The article was written in a proto-Medium style, with a lot of funny comments between the sentences.
The pen
The first part of the article explains how the pen is built and how to open it. In fact, the PCB is within an hard resin block, and a solvent to melt it is needed.
So I asked my girlfriend for nail polish remover and told her I care about my hand care.
After a lot of manual work in order to avoid to destroy the circuit, the PCB was clean. It seemed to be just an EEPROM, with an LC circuit.
Memories
Great! I got the EEPROM pinout exposed, the article specify the model: Mircrochip 24c02 . The EEPROM has 256 bytes memory and with just 4 wires I can read and write via I2C.
But I needed a micro-controller programmer to communicate with it. I searched my old high school box full of electronic stuff I soldered and I found the Pickit2 that I used to program the PIC16F1827 when I was young.
Connections
The EEPROM has a simple pinout, 1,2,3,4, and 7 connected to ground (it enables write mode). The pin 6 is the clock, 8 VCC (from 3.3 V to 4.5 V), and 5 is the data. The Pickit2 needs one 10k ohms pull-up resistor between VCC and SDA. I didn’t have it, so I used a trimmer carefully calibrated.
I admit, it has been so much time since the last solder I did…
Gimme those bytes
Ok, everything was ready. I launched the Pickit2 software, selected the EEPROM device, pushed the read button praying God I didn’t burn anything aaaand…
Here comes the dump, doo-doo-doo-doo.
Insert coin
Well, I got the dump, but what was the meaning of those bytes? Fortunately those legendary guys did a great work. The second part of the article tells how they understand, inserting coins by coins, where the credit is stored by seeing which bytes changed.
The credit is 4 byte long starting from 0x44 and it’s 0.04 €
Why?
80C041C0
For each byte take the lowest hexadecimal nibbles
0 0 1 0
Convert them to binary with four zeros padding
n₃ = 0000
n₂ = 0000
n₁ = 0001
n₀ = 0000
Split each nibble in 2 bit high e 2 bit low
h₃= 00, l₃= 00
h₂ = 00, l₂= 00
h₁ = 00, l₁ = 01
h₀ = 00, l₀ = 00
These are the base 4 coefficients of the base 2 exponents.
0*2¹⁴ + 0*2¹² + 0*2¹⁰ + 0*2⁸ + 0*2⁶ + 0*2⁴ + 1*2² + 0*2⁰ = 4 = 0.04 €
Feel confused? No worries, I was too, that’s why I wrote some lines of python code to better understand the algorithm.
So the maximum credit value available must be:
3*2¹⁴ + 3*2¹² + 3*2¹⁰ + 3*2⁸ + 3*2⁶ + 3*2⁴ + 3*2²+ 3*2⁰ = 65535 = 655.35 €
Going backwards to the bit notation
h₃= 11, l₃= 11
h₂ = 11, l₂= 11
h₁ = 11, l₁ = 11
h₀ = 11, l₀ = 11
That leads to our lowest nibbles in base16
F F F F
Cool! So can I replace those nibbles (8F CF 4F CF) in order to have 655.35 € instead of 0.04 €?
Nope.
The “Check”sum
Another little step is required, in fact take a look at the credit bytes
80 C0 41 C0
What about the highest nibbles we’ve not considered yet?
8 C 4 C
They seem to be a sort of checksum, and they discovered it only depends from the value of the credit.
The forumla is:
Ehm, I’m not able to describe it in math notation, sorry, here’s the code
The Backup
For some reason, the 4 bytes starting from 0x54 are the backup. Probably in case of fault the vending machine can restore the correct credit. Fortunatly it differs just in one nibble, in fact the backup is calculated by decrementing the second checksum nibble by 4.
So if the credit is
80 C0 41 C0
the backup is
80 80 41 C0
C — 4 = 8
Easy.
The Coffee Editor
Yeah, I was bored so I built a graphical editor from the previous snippets.
By the way tkinter is cool.
Write and test, what could go wrong?
Here we go, I edited the dump by adding 10 € written successfully to the EEPROM with Pickit2 and I was in front of the vending machine.
I plugged the pen, but the red led above the port started blinking…
The pen was not recognized correctly.
During the following days I tried to figure out why, I read all the forum threads talking about that pen and I find out a way. Some bytes, probably starting from the 0x20 address, rappresent the vendor code. Each vending machine can only read it’s own pens, mine is not recognized because I got it from another company.
I also discovered an interesting feature. In fact, the first time a virgin pen is plugged in a vending machine, it’s initialized with its vendor code!
Like a virgin
So I needed a virgin pen. The first attempt was writing the FF byte in the whole EEPROM.
But it failed, same red led blinking.
So what about to find a vergin dump? I had to buy a vergin pen somewhere, melt it, read it again, and eventually I would obtained what I was looking for.
But at some point, a saviour randomly met in a Telegram group dropped me the precious virgin dump.
I wrote the virgin dump to the EEPROM, and plugged into the vending machine. This time the led bliked red just for 2 seconds, and then a fixed GREEN light!
It seemed the pen was correctly binded to the vending machine, so I inserted a 10 cents coin, and the pen was successfully charged!
I dumped the EEPROM again and I noticed that a lot of bytes changed confirming that the vending machine initialized the pen correctly with its vendor code and my 10 cents!
Through the decades and beyond
Ok, nothing interesting so far, but I was ready to edit the credit thanks to the Coffee Editor.
So I turned my 10 cents into 10 €, wrote the dump to the EEPROM plugged the pen into the vending machine…
OH MY GOD, really? It’s (still) working!
Yeah, the credit was 9.47 € actually because I stole 53 cents of coffee just to test it, then I repaid manually the vending machine.
Let me tell you, I didn’t discover anything and that’s not a vulnerability instead it’s a bad project design that persists since the late 90’s.
Why do they still allow that?
My pet is a dolphin
My dolphin needs care, attention and must be feed (really, it needs to hack things otherwise it becomes sad). That’s why I did a FAP
(Flipper Application Package)
If you’ve not heard yet about the Flipper Zero, I suggest you to read my previous article below where I hacked a restaurant thanks to it.
The Flipper Zero is built on top of the famous micro-controller STM32 and you can control any I2C devices (like that EEPROM) through the GPIO.
The idea was to write a FAP that, read the credit and set it to 10 €.
First, I connected the EEPROM to the Flipper:
SDA -> Pin 15
SCL -> Pin 16
VCC (3.3V) -> Pin 9
GND -> Pin 18
Then I provided two 4k7 ohms Pull-Up resistors from SDA to VCC and one from SCL to VCC (again, I used two trimmers…)
I’m definitly not a C++ expert, but fortunatly the Flipper firmware has the I2C API built in.
#include "furi_hal_i2c.h"I just needed a function that read the credit bytes
and a function that write the credit
Thanks to the repo I linked below I got the Hello World FAP example as a simple tutorial on how to draw things on the Flipper screen.
And this is the result, press Left turns it to virgin, press Right to set 10 €, press Ok to dump the EEPROM on the terminal when you are connected via USB serial.
Conclusions
Well, it was really fun. Thank you for your attention!
Disclaimer
All the information and the actions done in this article are described for educational purpose only. All of them can be easily found in other forums. I am not responsible for any illegal use of these informations. Edit the credit is like stealing.
