You want to know how to hack a vending machine with a cellphone if it is modern. Older vending machines would easily be hacked by merely hitting a unique code after putting it in debug mode, this is not the case with their modern counterparts.
You don’t need a cellphone to hack an older vending machine—only works on the modern ones, which are widely used today. Older ones worked offline, typically with coins. The modern machines work with NFC – keys/cards.
Since modern problems require modern solutions, your cellphone comes to play. It needs to have NFC support for the hack to work.
Note that this guide is purely educational. Even the inventor, Matteo Pisani, of this hack merely used it to expose the loophole and not for collecting free sodas without paying.
How to hack a vending machine with a cellphone
Matteo basically came across a vending machine in school. It eventually occurred to him that he could get free soda if he goes black hat.
Below is how Matteo hacked a vending machine with a cellphone:
1. Get an Android phone
Like Matteo, you’d need an old Android phone, perhaps, the older versions like Jelly Bean and KitKat.
The next step is to root the phone. There are several rooting tools out there, including Kingoroot. Have also in mind that rooting a device can permanently damage it. So, you do not want to use your primary phone for this vending machine hack.
Read also: how I guessed a password
Enable USB Debugging Enabled. You’d have to enable the developer options to turn on USB debugging on an Android.
Here’s a Google developers’ link https://developer.android.com/studio/debug/dev-options with steps to enable USB debugging.
2. Install the target app
Next, install the targeted app you want to use for the vending machine hack. If you’re running this hack with an Android device, the targeted app should be available on Google Play Store.
Now, dump the original .apk to your computer via adb.
# adb pull /data/app/com.sitael.vending-1/base.apk ./Argenta.apk
Now, decompile the .apk with apktool:
# apktool d ./Argenta.apk -o ./Argenta
3. Extract Java sources
Extract Java sources with jadx
# jadx ./Argenta.apk
Now, make the .apk debuggable. Do this by editing the AndroidManifest.xml file by adding
android:debuggable=”true” property to the application <tag>.
4. Rebuild the .apk
The next step is to rebuild the .apk.
# apktool b ./Argenta
Create a new key using keytool:
# keytool -genkey -v -keystore Argenta.keystore -alias Argenta -keyalg RSA -keysize 2048 -validity 10000
5. Sign the .apk
Use jarsigner with the generated key to sign the .apk.
# jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore Argenta.keystore Argenta.apk Argenta
6. Make the .apk runnable
You now have to make the .apk runnable by zip-aligning it.
# zipalign -v 4 Argenta.apk Argenta-signed.apk
7. Install and run the .apk
Install the final .apk:
# adb install ./Argenta-signed.apk
Run the modified application on your cellphone and look at logs using a tool like logcat. Filter them via the package name.
# adb logcat –pid=`adb shell pidof -s com.sitael.vending`
You may then comb through the source codes for any juicy information you can find. If you look AndroidManifest.xml file closely, you may find references to RushOrm.
8. Find and open the db_name
Now, boot up the Root Explorer on the cellphone you’re using to hack a vending machine to seek
When you find it, take it to your computer with adb
# adb pull /data/data/com.sitael.vending/databases/argenta.db ./
Try opening it with a DB Browser for SQLite. If it is protected with a password (which may be the case), you reverse engineer.
Now, return to the source codes and look at
RushAndroidConfig.java. You should be able to find the methods the developer used to configure the database.
Read also: Gmail hacking simplified
In Matteo’s case, his attention was caught by this.encryptionKey = getDeviceId(context);
He moved to its definition and discovered that the targeted app uses the IMEI (*#06#) of the phone as the encryption key for the SQLite database.
9. Push the database with pumped credit back to phone
After inspecting the database for some time, Matteo opened the UserWallets table and edited the walletCredit field writing changes.
The next step is to push the database with pumped credit back to the cellphone for hacking the vending machine:
# adb pull ./argenta.db /data/data/com.sitael.vending/databases/argenta.db
You can then develop an Android utility (like Matteo) to dump/restore/tamper the targeted database of the application very quickly.
Below is a video of Matteo testing out the hack when he returned to his university:
With a zero-credit account, you can hack a vending machine with a cellphone to:
- Buy soda.
- Increase the credit of the app.
- Return to zero credit.
- Update the remaining credit.
- Increase the credit again.
So, after a macro inspection of all the reversed sources, Matteo found a huge portion of clean code. This means that the app has no strong counter-measures designed to secure it.
If you also manage to hack a vending machine with a cellphone, make sure to report the vulnerability to the company. They may have to replace the current architecture with a better and more secure one.