Wednesday, 30 September 2015

Reverse Engineering A Eftpos Machine Part 1

My first blog entry will be about a eftpos keypad terminal that I found whilst dumpster diving(in a sence),
I don't wish to name the brand as it's not relevant, I do wish to employ as many reverse engineering techniques as I can muster to discover as much as I can and learn as we go,so I will try and break it down but I'll come back and recompile it all more comprehensively when I can  and please be tolerant of my poor English(grammar), school never really agreed with me but here we go it features an rj-45 connection for both power and data, it has a 128 x 64 glcd and in terms of card reading it features a magnetic strip reader and a chip reader, it has a 3v backup battery as well, it has a 1-9 keypad and a few acc buttons, now as you could assume any system of embedded hardware that is going to be at the hands of a 3rd party (the shop keeper, you and I),
 will have to employ various techniques to ensure that its operations of are safeguarded against malicious intent, mainly concerning the inner workings of that machine (cryptographic keys and private data).
 now this device features many tamper devices that will render the data and maybe the machine useless.
It's main housing is held together with locking pins, so it was heated around the areas of the pins and pried open, it's tamper resistance here is that unless you can perfect it you will always distort or deform the edges of the casing upon opening it.
Now once it's open its got a far bit on display as you can see in the photos, it has a break out of 6 pins for a communication method that I have not yet worked on as for now it's visual and a full destructive breakdown before I break a few more open for signal and info/leak tests,
It also has a lovely live rf sheild attached over the cryptographic mcu (see sheet attached),
Under this sheild is 2 pressure release switches these are assumed to be connected to the mcu's data tamper switches that wipe the memory and can be activated we will assume by removal of the battery without putting 3v on the jumper adjacent to the battery and also by any other number of tamper related evidence the device can determine/detect, the mcu data sheet is covered by a disclosure agreement so no luck as to a pin out, that's ok, I have drawn up a colour chart with some of the main ic components, I have also to date scratched down to bond wires and photographed as many layers as I can and started to determine the connections between components, this work is tedious but very interesting and as it stands as to learning about electronics has forced me to really think out side the box,
So until next time or when the layouts are complete stay safe and stay looking out for free electronics(you know you need them).