Close

Introduction

A project log for Reverse engineering the Rotor

The Rotor, an Italian public payphone introduced at the end of the '80s, was never defeated by phreakers; trying to change that

PhaseSeekerPhaseSeeker 09/29/2021 at 16:550 Comments

Reading through old Italian phreaking e-zines and websites (see https://www.autistici.org/hacking_e-zines/ for an archive and the s0ftproject website http://bfi.s0ftpj.org for their e-zine, BFi, which was even mentioned on Phrack),  I was always fascinated by the Rotor, mainly because it put a stop to all known tricks to get free calls and at the same time introduced a whole load of new features to prevent new attacks (bi-directional data link to the phone exchange, electronic coin discriminator, magnetic strip-based prepaid phone cards).

Brief history of Italian public phones

From the '60s up until the end of the '80s, the public payphone in use pretty much everywhere was the Urmet U+I ("Urbane+Interurbane", Italian for "Local+Long distance"); this was a simple electromechanical payphone whose operation was based on a solenoid and a series of microswitches. While there were some tricks put in place to prevent tampering (like subtle modifications to the lines they worked on to prevent people from simply hooking their own lineman's set to them), over the years a number of hacks, both electrical and mechanical, were discovered. While I can't say for certain which of them worked and which were fake, it's pretty clear that the phones were far from unhackable.

In the '80s, some of the old U+I were replaced with an improved model, the Urmet G+M ("Gettone+Moneta", "Token+Coin"), which as far as I know still worked in a very similar way, at least in regard to the way it interfaced with the phone line. The main differences were three coin/token slots instead of one (allowing the usage of coins alongside the usual tokens, as the name implied), a series of buttons to allow the user to input the number to dial (it still used pulse dialing, though, as all phones up to the Digito did) and a display to show the remaining credit; I suspect they had to add some kind of MCU to keep track of the different coin values anyway so they threw in the display just as a bonus.

By the end of the decade, however, it was pretty clear that these phones were pretty much obsolete. They had limited functionality, known flaws, and they fact that they stored quite a lot of coins meant that they were a popular target for thieves. To mitigate those issues, SIP (the Italian phone company at the time) commissioned IPM a new payphone; the initial plan was to create three new models, one for use with coins and tokens, one for use with the new phone cards (more on that later) and one for use with credit cards, but then they changed their mind (probably because they realized it meant building close to 3x the number of phones), and all the features were merged in a single new phone, the Rotor.

The Rotor

The phone itself is quite a feat of engineering. Weighing in at 32 Kg (approx. 71 pounds) of cast iron and fitted with an Abloy disc detainer core, it was quite resistant to brute force attacks. The mechanical coin acceptor was improved from the previous phones, with features such as an S-shaped tube at the beginning of the coin path (to prevent people from poking at the internals), a shutter with a blade (to prevent the old "coin on a string" trick), an electronic coin discriminator able to measure size, weight and metallic composition (the last one probably using inductive sensing) and a 20-pocket rotor (giving the phone its name) used to store coins until the end of the call.

On the electronics side, aside from a microcontroller which runs the entire device, it was equipped with a modem/transceiver enabling bi-directional data transfer between the payphone and the exchange using the HDLC protocol; this was used both for signalling purposes (it enabled the phones to alert the phone company of things like faults/tamper attempts/coin safe full) and to check the validity of phone cards and credit cards. It also offered some sort of remote configuration option.

(all the info here is either from the e-zines mentioned before or the Spaghetti Phreakers Cookbook, which can be found at https://archive.org/stream/SpaghettiPhreakersCookbook/Spaghetti%20phreakers%20cookbook_djvu.txt)

Variants

There seem to be three different variants of the phone (spoiler: there's actually a forth one I discovered only after looking at the PCBs; more on that in the next project logs).

All models have data communication capabilities (on the two wire models this is achieved using out-of-band "overvoice" signalling) and can be equipped with a card reader.

The "public phone type" line

As mentioned before, all payphones since the '60s worked on special lines. While there's pretty much no information on the four wire lines, the older style two-wire public phone line is pretty well documented since it remained unchanged even when the Rotor was introduced (again, to allow the Rotor I to be a drop-in replacement). This might not be all that useful, but since the only information I found on this was in Italian, I figured I'd summarize it here anyway.

This type of line doesn't differ much from a standard home phone line, apart from some extra signals that are added in order to make the payphones work (I suspect this was at this point a simple a software configuration change on the phone exchange side). This was especially convenient because it allowed the owners of bars and shops to request the installation of a payphone and all the phone company had to do was to attach the phone to the wall and just plug it into the existing phone line (they could even be equipped with a ringer and used to answer phone calls!), without the need for additional cabling.

There are two main differences from a standard home line:

Because of this, a payphone can actually be made to work on a standard home line if you manage to get your hands on one; it just won't collect any coins you put in, because it will never see any polarity reversal on a standard line. The only catch is that, even with the Rotor, they are only capable of pulse dial, so they will not play nice with VoIP lines (fun fact: the phone itself consumes a maximum current of 30 mA, so it can actually be used with a VoIP modem)

Magnetic phone cards

This is one of the parts I found most interesting; to mitigate token/coin theft, SIP introduced alongside the Rotor (a card reader for the G+M was actually made, but I've seen very few pictures of it and I suspect it was more of a prototype for the whole system than anything else) the new magnetic strip-based, single-use, prepaid phone cards.

The cards looked like this:

Note that these don't follow the ISO 7810 standard for credit cards, both because of their shape (the corner gets cut off by the phone after the first use) and of their thickness (they're thinner because they need to be flexible).

Many phreakers over the years tried to decode the information stored on these with a bunch of different methods (magnetic field viewer strips, readers build with cassette tape heads, even a kids' toy hacked to output the resulting audio signal to a PC), but as far as I know it wasn't until 2007, with the Magneto project (http://www.radio.eptousa.altervista.org/progetti/magneto/ or BFi-dev-04 on the s0ftpj site) that somebody actually managed to get usable data off the card. Reading the cards, however, was only the beginning: nobody has been able to figure out what most of the data stored of the cards actually means; I hope the insides of the phone will be able to shed some light on the mistery.

The things we know about the cards are:

A more detailed description of the cards' data band structure is available on the Magneto project website (also in Italian), but again, it's mostly about how they got the data off the card than what it means (apart from the section containing the remaining credit, which is well understood but also useless)

What's next?

These phones have become kind of a collectors' item, so their prices are pretty outrageous (and the fact that they weigh 71 lbs certainly doesn't make shipping cheap). Luckily for us, these so called collectors also like to actually USE their phones and, as I mentioned before, only the Rotor I can be used on a standard line; the Rotor 2 will refuse to work on a normal line (putting out error codes like "no communication with the exchange"), so a "mod" was developed to make them usable again. The thing is, the mod basically consists in stripping all but the keypad and headset from the phone, so there's a lot of old Rotor 2 PCBs which are basically useless. So, I was able to get a bunch of these for really cheap (like 25-30€ for a bunch of them) to play with them. I've already dumped the ROMs and traced parts of the schematic, so expect updates in the following days.

Edit 18/10/2021: corrected some of the information about the G+M. It seems like it is a little smarter than I thought and that it is indeed equipped with some kind of microcontroller. I've never seen the inside of one of those, but I strongly suspect they put a MCU in just to handle the fact that coins could pay for more than a single "scatto" and not much more than that (I seriously doubt they had electronic coin validation or data communication).

Also, i managed to find other pictures of the blue "prototype" card reader; I still think they were more of a prototype than anything else (there are some references online to some kind of "pilot phone booth" in Rome that was equipped with one of these). I cannot post pictures here because the only photos I found are from an eBay auction.

Discussions