$./ccJack.py -h Usage: ccJack.py options Options: -h, -help show this help message and exit -i DEVICE, -interface=DEVICE Serial port to use -b, -bus-pirate Use this switch to tell the serial port is a bus pirate -a ADDRESS, -address=ADDRESS Address of the device sending the address change request -s SOURCE, -source=SOURCE Source address of the device to hijack -d DESTINATION. MDB interface protocol. ccTalk. Extended Interface / USA Serial (NIS. 4 NV9 USER INTERFACE. The user interface with the NV DIPswitches and a RED LED, G Th. Operational status of the NV9. Figure 2 - User Display and DIPswitch Settings. NV9 Operations Manual 7.
Published on 14 October 2013
As we've seen in the previousarticles,we are able to talk with a coin acceptor and monitor a live ccTalk bus, but nowwe'll explore some attacks that can be made on that bus.
While it is possible to directly inject data on a ccTalk bus, it is much moredifficult to spoof a device by replying before it does. As the bus is only usingone physical wire to send and receive, we need to find a way to stop the devicefrom responding to requests.
The MDCES commands are used on a ccTalk bus to change the device address incase of conflict. Normally, it's up to the controller to send these commands,but in practice, any device on the bus can send such request and the device willhappily change its address to the new one.
To change its address, a device needs to receive a request with header 251 -Address Change, which contains the new device address in the data. The devicewill get the new address and send an ACK packet with its new address as thesource.
Such packet is easily created using the ccTalk library. For instance, here is anaddress change packet, which tells device at address 2 to use address 0x42 :
Since there is only one wire for the bus, injecting a ccTalk packet must becarefully done, since it can jam an ongoing communication. However, it is quitesimple to do it. Since normally only the controller sends requests and devicesrespond a short amount of time after, there is normally enough time to inject apacket between two request/response pairs. For instance, the ccTalkdocumentation tells that a coin acceptor needs to be polled at least every200ms. This leaves enough time to send a 6-byte packet on the wire.
Once the device changed its address, it obviously will stop respond to requestsmade to its old address. We are now able to get the requests and startresponding instead of the original device.
Here is a schema of the attack :
To simplify the use of this attack, I created a simple tool called ccJack, whichautomates the hijacking process. It works by giving several options like thevictim device address, the address where to send the device and several otheruseful options. Once the device has been moved to a different address, ccJackstarts responding to requests made to the original device address. It is thenpossible to change what ccJack must respond to a specific header and thereforefully emulate any ccTalk device.
Here are the command line options of ccJack :
How to delete a blank page in word for mac. Because several commands rely on special events and are not predictible, ccJackstarts by sniffing the ccTalk bus and collect any request/response pairs duringa defined period of time (by default, 5 seconds) and will construct a tableof device responses. https://trueifile467.weebly.com/black-diamond-casino-instant-play.html. Once the device has been hijacked, ccJack will use thistable to send the responses back to the sender.
If the table does not contain a response for a request, ccJack will by defaultsend an ACK packet. Hyperlapse video for mac. This way, the emulation will be quite valid, even if ccJackdoes not know the right answer.
While ccJack is emulating a device, it is possible to use the CLI interface toview and modify the responses. It is the possible to change the response valuesand, for instance, increment the event counter in a reply to a header 229 -Read buffered credit or error codes request. In that case, if the last eventwas a successful coin recognition, incrementing the counter will result in a newcredit be processed by the controller.
Here is a demo of that in action. I used the Teensy controllerthat communicates with a coin acceptor. Each time a coin is inserted, newcredits will be added in the game (on the right). I inserted a 2CHF coin inorder to get the two first credits, then I incremented the counter using ccJackto inject some money in the game :
Notice that normally, a controller must only process the last five events thatare defined in the response, even if the counter got incremented by 10 forinstance. However, most controllers I was able to play with do not respect thisbehavior and are more than happy to process the last event ten times in thisexample. I kept the same behavior in the Teensy firmware, so that's why when thecounter is incremented to 0xFF, the credit store in the game keeps gettingincremented.
Coin acceptors can be reconfigured by several ways using ccTalk. Some of them donothing more than testing the internal working of the acceptor, but others canbe really interesting for an attacker.
After hijacking the coin acceptor, it is possible to reprogram it and put itback on its original address with the new configuration, allowing some nicehacks.
We saw that the coin acceptor sends the validation channel value back to thecontroller, and it is up to the controller to associate this value to the actualcoin value and credit the game. The thing is that it is possible to reprogramsome coin acceptors using ccTalk.
By sending a request with header 202 - Teach mode control https://bestbup963.weebly.com/casino-north-florida.html. , it is possible toreprogram a specific validation channel with a new coin. Teach mode controlrequest takes one data byte containing the validation channel to be changed.After sending this command, the header 201 - Request teach status can beissued to know if the teach operation has been completed.
Since the validation channel does not change, the controller will still creditthe game with the previous coin value. this allows for instance to reprogram a0.10CHF coin to be read as a 2CHF coin.
0 
Star