Hi welcome to Teardown! Tuesday Today we're gonna take a look at this Sage 'm Montn el F post PIN Pad terminal. You might call them something else in your country, but we call them basically F post terminals here or up pin pads because I used to work at the company who actually supplied this key Corp I worked there back in 94 although I wasn't in the PIN pad group I designed the TFT LCD monitors for these type of banking systems back then. Anyway, this is not a Key Cop branded model. It's are produced by say German or I'll link in the datasheet for it down below, but it's one of these typical F post terminals.

Not a particularly recent one, but recent enough to have a smart card interface on here. and it's also a GSM model. We'll find that out. In fact, today, there we go.

It's got some similar three SIM card slots down there. I'm not sure why there are actually are three there, and there's an SD card slot in there anyway. so you can use this as a remote terminal and connects and does your electronic credit card transaction at your point of sale. And thanks to Luke Stone for sending this one into the mailbag, he scored it for 2 bucks at a local garage sale.

Fantastic! So let's tear down this thing and see what's inside. Now the interesting thing about these are: PIN Pad F Poss terminals is basically the security inside of them. and I'm not talking software security I'm talking Hardware anti-tamper security because it's very important for these things not to be hackable. so you know somebody can't just buy one commercially on the market or access one like this or still one or whatever and then hack it and put their own our circuitry inside of their own software or whatever to then steal people's our credit card numbers and PIN numbers and things like that.

So expect lots of anti-tamper technology inside this thing. and there's industry standards for this. This particular one meets the PCI Ped standard and no, PCIe doesn't stand for your regular computer PCI Slot It stands for the payment card industry and they're the regulatory body that handle the security standards both software and Hi. We're and also management for these things.

so it's Pcie Ped standard. So payment card industry ped stands for pin entry device which is what the industry term is for one of these, but we'll just call it F Posture milk. that's what they called here in Australia If Poss, if you don't know, is electronic funds transfer at point of sale. There you go and there are various standards for this.

We're going. This is meets the Ped standard for the pin entry device, but there's separate standards for the the DSS standard for the data security standard it stands for like the protocol, the interface in, and the key generation and all that sort of stuff. and I think you have to like by the standards or something like that. I Don't think they're readily downloadable, but if they are, please don't link them in and leave a comment and I'll link them in it down below anyway.

I'm gonna link in the data sheet for this thing I'm not sure the exact IH we'll find out. but yeah, as I said, it's got a smart card interface. It's got a card reader down there. you swipe your card, you can hardly see that, but there's a little as the reading head down in there.

We'll see that when we opened it up. graphical LCD screen and it comes with this cable which has both an Ethernet interface here. so it does I'm I P like you can connect to a regular internet connection and it can do your transaction that way which is faster than your regular modem. This will also have a V 32 modem in it as well and it's also got Rs-232 interface.

Plus it's also got that wireless capability with the Sim card as well. so maybe you can attach like an optional battery pack on here dealer feed it or something like that. Maybe you turn it into a portable device I Don't know. Well maybe it's just a complete leader device.

Anyway, it's got three different methods to actually do the transaction: Sim Wireless Ethernet and dial-up as well. Got a couple of USB ports on here device and host that I believe is used for the upgrade of the firmware. In this thing. you actually plug a cable in and plug in the USB key and you can do your firmware upgrades and field upgrades that way So should be really interesting.

But and it's got a printer as well. it's just got cheap, isothermal, simple thermal printer in the thing and a security looks like a security locking tab or something like that. So we really want to find out what the anti-tamper mechanisms in this thing. That's going to be the fascinating bit that I want to see All right, particularly care what processor it uses.

Although these things often use a a secure process are a specific hard and security processor that has that self destruct mechanisms and things like that anti-tamper devices built into the process and not a regular one. It says it does use a 32-bit Risc Arm Nine Micro at 200 Mitts in there to do that, but it also says it has a coprocessor. So I expect the coprocessor to be a security hardened processor. So this model is the EFT 930 s Sage' monitor and we'll find out the date when we open it.

They'll know there'll be some chips in there but yet like it's got a date of you know supplied by key Corp in 2010. But when it was designer service you know it's at least four or five year old so which isn't too bad. So there we go, that's like a half turn system. You have to do that and pull at the same time.

Ah, there we go. That's just a cable interface. so that's got our RS separate Rs-232 Ethernet and had the USB host I Think that one's for the firmware, so not entirely sure with the other. These are the devices over here, but anyway, so can probably do firmware updates through there.

It's 232 hosts and power and yeah, I could picture there maybe being a battery pack optional extra for that if you just wanted to use the sim module. No problems. And I don't really know about the GPRS modem inside this thing and the Sim cards here. Whether or not you know you can just whack any regular Sim card in there and how that's actually handled on the client side and all that, the payment gateway and all that sort of just I Guess you would have to be in the industry to know those kind of things, but let's see how we can open it.

so six of ours. But as I said, as soon as we take this case off, I expect there to be at an absolute bare minimum our anti tamper switch in there and built into the case. Perhaps that as soon as we open the case, it's going to destroy the contents of the of the keys and things like that, but there's probably multiple layers of our tamper protection in here. Not just that, so let's open it.

No, it turns out they're Torx screws I should be able to find the right sized one in here. should keep them organized all right. Taking out six screws there we go. It broke a little security seal there, not surprising.

and what are we got? Yep, there we go. There's our first. Yep, there's our first anti-tamper There we go. tactile switch down in there.

That's our first anti-tamper mechanism. So yet there there it is. There's the little button which pushes down on that tab side. Bingo.

All the probably screwed the pooch already. If you wanted to get the security keys out of this or whatever, you've probably already lost them. and yet at a minimum you'd probably have to go back to the official dealer and get it reprogrammed or recommission or whatever. However, that works.

Yeah, we got ourselves a 3 volt Lithium battery there and no doubt a lot of this stuff is going to be stored in SRAM It won't be stored in flash so you expect us find like the keys and things in SRAM so that they can easily be destroyed at a moment's notice when you you know and to violate any one of the tamper mechanisms inside this thing. Now curiously, I'm a massive 4700 my 10 volts surface mount cap. look at that blister there so they really want to retain that data boy. like I Reckon that's maybe that's are for like I don't know some internal real-time clock or something and maybe that battery only powers the keys and other encryption type data perhaps.

And this side cap reservoir cap just keeps maybe the timing date going for a long time when it's when the power is disconnected? perhaps? I'm not entirely sure. and we have ourselves a pulse transformer therefore the Ethernet interface and we've got our recording head over here, our Rs-232 our USB host over there, something that's not populated over here. So I don't know whether or not that's the factory test or some sort of optional thing. Maybe it's part of it.

No, yeah, it's something else. so it could be a optional model fit. Couple of parts missing all around here. Not entirely sure.

Another big-ass surface mount kept missing here, so not entirely sure what's uh, what's missing around these parts here. and I thought there wasn't any screws holding that in place. so I just pulled on it and broke off. it came.

Yeah, it's got a huge border board interconnect here. It's plastic, but a plastic shield. they're not sure, like a spacer. I'm not sure why they bother putting a spacer in there.

Is this some sort of an E tamper mechanism in that? maybe not. Anyway, it will got a large amount of shielding around here, so oh yeah, there we go now. given that shielding on the back there and a large amount of via stitching that indicates our wall, a shield in, and all the ground planar flood-fill on the top as well. and all the via stitching low impedance stuff that indicates high frequency stuff is at play here.

So I'm thinking this wall has gotta be uh-huh Really is no option. There's got to be the optional by the looks of it not fitted to this, the GPRS module. So these Sims are of no use to this, presumably because there's no wireless. GPRS Functionality not fitted.

Now, whether or not there's it, looks like there's some circuitry on there, whether or not there's maybe another board. and there's got to be like an antenna somewhere because I don't see an antenna in this side case at all, so that's all optional. Unfortunately, by the way, we have a date code down in there 36 week Oh seven. So whether or not it's old stock or whether or not it actually came from the it was manufactured around, you know, Lado 708, something like that.

Not sure now. I Just thought for a minute maybe this was the modem stuff and this hadn't been populated in this one. But like there's no isolation there or anything like that you'd expect. you know, isolation relay isolation slots dedicated isolated section for a V32 modem that hooks up to the phone line.

So yeah, that doesn't seem to be in there, or at least not on the top of anything inside here that we can see so far. And we have a Vikon Dm9 161 chipset there with its own dedicated oscillator of course, that's all for the Ethernet, the physical aspect of the Ethernet interface and that one. there is just a Joe Bloggs Rs-232 interface driver. Now why they've got a second huge pin count border board interconnect connector there? I Have no idea it looks like a finer pin pitch then we've got here.

so I don't know. It's not something you'd ordinarily use for testing. so maybe it was part of the development and debug something like that. And there's nothing fancy happening in most of this that's clearly a power switch mode power supply there.

Dead giveaway as that. Yeah, it's surrounded by an optional shield which they haven't decided to fit. and when you see big power inductors like that and a big tantalum cap and a little chip next to it controlling it. Yeah, and a couple of high value.

while ceramic caps like that in a large package, you know that like to get very lower ESR on the output that a switch mode controller requires. it's a dead giveaway and we got ourselves a beeper up there. by the looks of it. and well, not much else happening, just some miscellaneous stuff down here.

for the USB interfaces over here thing. I'm very surprised as that I can still only see one anti-tamper mechanism and that was the little tactile switch there which we saw when we opened the case I Expected the UH processing is that I'm not sure that is will get in and have a look anyway. it looks like we've got some ram. it's and flash there.

this is all you know. I Expected this to be either physically potted or protected with some sort of extra Annie to tamper mechanism in some respect. at least make it tough physically difficult to access by just putting the stuff anyway. But no, no, they've just put in a 1/2 hour shield over that and well, we can read the part numbers straight off there.

Hmm, clearly there's our arm a 9 processor but that's not the brand that's the model more ft 3x so you know they're just using off-the-shelf Arm Up processor. As they said, what was it a risk knowing at 200 MIT's so yeah, they're just a rebadging that when you buy enough of them. the rebate date code again 34th week Oh 7. So there you go.

You know that's unlikely that two chips are going to be from Oh Seven, especially a processor like this. They generally don't leave those sitting around in nut stock for all that long on nut products like this. So I Reckon yeah, it's you know, manufactured in not late, oh Seven or Eight. but ducky Cup of whack to that 2010 sticker on it was it.

Although, actually, come to think of it, no, it's not that surprising that this is not secured in any way because this is just the applications process that we haven't gotten to the secure processor yet. so that's probably on the other side of the board, making it even more difficult to, you know, hack and get into you because you've got to take out the second board. So that Cupressus has got to be on the back of this board somewhere and that could have extra anti-tamper stuff. and there's no magnetic recording? Head down in there.

It's just like your regular tape based, you know, cassette tape for you youngsters out there like a regular head? Maybe yeah, possibly you know. I was specifically designed for credit card scanning and things like that. Nothing fancy I think I found a bit surprised in Does that? Is that a little bit compliant? Yeah, it could be. Usually they build some physical compliance into this thing, hence the flex coming out and usually you know they want to I get some a bit of compliance in the pressure that this head puts across the credit card that you actually swipe into this thing.

So yeah, I think that's what this metal plate here can be doing, just giving a little bit of a little bit of pressure and some give against the card. And I was about to say that these metal look, there's metal pins are there and there I thought AHA Maybe that's some extra anti-tamper or something, Maybe some conductive thing, but I can't find any matching thing in the top case here. so I thought maybe that was an extra NE Tanner / mechanism, but obviously not so. I Don't know why they put metal pins in there.

maybe there to hold in the card slot here for the smart card, but yeah. I don't know. There's a head for the thermal printer there. and yeah, they do have one individual pixel so it's all the way across.

I Don't know how many pixels I have across there, but there's one individual thermal element which then just burns the heats up and burns a dot in the thermal paper as it passes through. Looks like we've got some gear mechanism gearing mechanism over here. Tiny little motor on the back there, but yet nothing much doing there. They're pretty simple, in fact, all of that just bingo.

Popped out of there on a flat flex. No problems at all, so you could. Actually, if you're really keen, you can keep that and reuse that there are. they're likely they usually have like a driver.

I've shown these before in previous videos on the flat flex here. Usually an embedded driver in there to actually drive the elements. There's specific are chips you can get and they're usually only available in die form for attaching directly onto the flat flex to open the rest of this. I Think it's just sort of like oh, look, that whole side panel.

There you go. Hey there you go. That whole side panel. Oops.

I Just look at that snapped snap. The flat flex just sheared right off because this is a thicker part of the flat flex down here that goes into there and this is thinner so ya know. No surprise that have actually sheared off at that point. So I think the whole thing just lifts out and as I said I reckon there's probably another going to be another switch on the bottom here, which will if we're ever our keys.

Secure keys, encryption, and all that sort of jazz. Whatever it needs hasn't been raised already. It most likely is when we get that out. Bingo! Now here's an interesting aspect to this thing.

Of course, there are two ways to hack. There were at least two ways to hack these things. Want us to actually get in to the actual last circuitry itself? and you know, get like, steal the keys and all that sort of jazz. And you know, maybe hijack your own circuitry on there.

All that, sort of, you know, really deeply complex stuff. The other simple way is to hack in to the magnetic stripe reader like that. so tap off that and read the signal directly from the card and then also add some circuitry. you know, like a little leaf.

you want a hack These you might add on a little board or something like that to read the keypad like this. So you're basically stealing the information directly. All you need you don't have to worry about, you know, defeating the encryption mechanism and all that sort of stuff with the keys. All you need to steal is the magnetic card info and the people's pin numbers as they actually type them in.

and I Think that's the majority of our hacks on these that type of things. but if you've got more info on that anyway. So there's two ways to get into this thing. One is through the back of the case which we saw before and the other is through the membrane keypad on the Frontier.

Now you'll notice you know it's just a regular membrane keypad in this conductive pads here, which then make contact to our regular buttons. You've seen this before coming in commoners Mudd Every single product. but look, it's got two additional little contacts there and there that don't made up with a R button on the front. But look, they have a little little little pin in there, a molded into the plastic case which then pushes on this and acts as a button.

when this thing is finally assembled and look at that. we've got two pads there and they're on the board. Bingo! That's another anti-tamper mechanism, so if you try and remove that membrane keypad bingo, it's going to destroy it and lose the keys. Do whatever.

And once these things, you have to basically send them back to the dealer or the factory or whatever to get them reprogrammed. if that's even possible at all. After you open these things, Maybe not. These things aren't designed to be.

Yes sir, they're designed to be assembled secure. They're going to meet all those international wire security requirements. All that sort of jazz. So there you go.

We've now already released two anti-tamper mechanisms in this thing and under there is it on semiconductor. N CN Six Double for a that's the driver chip for or the interface chip for the yacht's in modules. Those three Sim modules we saw on the backside and that's got ESD protection built in because these Sim modules of course are easily accessible by human fingers. so you know you can don't want to kill your main input chip here and you'll notice all the better nails.

Test pins all the way around here for production testing. Now once again, this coprocessor. This is the secure coprocessor. And once again, I'm surprised that it's not potted or has any other anti-tamper mechanism in there.

And look, it's a once again, it's got their own brand on there. It's Mana EFT Y3x specifically for this model, but they're not spinning their own silicon there. I Guarantee it. They're just reusing and off-the-shelf secure microcontroller that won't be a regular one.

A couple of companies around specialize in doing secure micro controls specifically for this purpose and there they will often have like a self-destruct pin on them so that the encryption keys which are kept in not SRAM destroyed. if you don't keep that pin you know powered up or whatever. Now this could have been like a modern one. likes a maxim.

For example, do a max R3 to double 500 secure microcontroller that does all the AES DES you know, secure key encryption, all that sort of stuff. It's got temperature and voltage art, tamper mechanisms, and all sorts of fantastic stuff to ensure that you can't you know hack and extract the I keys from this thing. but that's only available in a BGA package. But I did find an older school Ardella Semiconductor of course our Dallas owned by Maxim now and I think this thing because it's a hundred pin dirty QFP I think it's a Dallas D S fifty to forty I can't get the pin outs for this because you need an NDA shock horror to actually get the full data sheet.

but I'll link in down below. Just the basic are top level data sheet for this thing. so that's what I think it is Delos semiconductor DS Fifty Two forty. Perhaps it's an 805 one processor by the way, that previous maximum one that had a I'm Cortex M3, but something like this D is fifty two forty old-school 805 one processor but can access like up to eight mega RAM but it's got like 4096 bit encryption in there.

It's got physical protection as well. Its got like a pattern that they embed in there over the die. so if you physically try and like eat away like actually dissolve away at the plastic assuming that you got through all the any tamper mechanisms on this thing, if you were actually able to dissolve the plastic on there, there'd be like a physical metal barrier over the top of the encryption area of the chip. not over the entire chip, but probably just the encryption area of the chip that actually holds the keys.

And it's all SRAM based is all very fast. SRAM which they talk about so that you know if it detects any sort of our temperature tampering, voltage tampering, memory bus tampering things like that, probing all those sorts of mechanisms, it'll just erase the keys in there and bingo, your data is lost. So this chip in its own right probably has adequate security in there to meet the those international security standards we talked about at the start. but I was just, you know.

I'm very disappointed that there wasn't extra security like and that was like fully potted or something like that. just to make it just that belt and braces engineering approach, you know I mean yeah, this chip can do it on its own, but just would have been nicer to see some extra security in there perhaps. But I don't know. Yeah, it obviously meets the standard, so that's all.

approved, all that sort of jazz and really the odds of you being able to hack this thing like in terms of the encryption keys and things like that are borderline zero. So there you go I Hope you enjoyed they look inside one of these RF post PIN pad terminals and yes there is a lot of security which goes into these are prime. You know more on chip on die stuff than anything else you know. We've got some basic stuff protecting the keypad and opening the case for those physical attacks.

As I said, a hacker wouldn't be bothered trying to get you know the keys out of this or hack of that processor. In any way, it's just too hard. If they were going to try and hack these things then they'd you know be detecting the keypad presses and reading your magnetic cut strip reader and that's you know you hear reports of yeah people have a snuck well not not snuck in. they just do like sleight of hand.

So what they do is they cased the place are first that they want to target. they've already hacked one of these aren't matching pin pads to what's in a store and everything else just to like steal the the credit card the basically the PIN number and the credit card info on there and they just you know go into the store sleight of hand they just you know disconnected. somebody distracts the attendant while the other one you know physically swaps over the units. So then you've got a hacked unit installed and nobody's none the wiser.

Then they come back later and they steal it. And it's a captured all of that data. That's one of the ways that these things are often hacked anyway, but yet really quite difficult to do. The security on these things is really pretty good.

So there you go. Hope you enjoyed a look inside these pin pads. A data sheets are linked in down below, so check them out if you like tear down Tuesday Please give it a big thumbs up. And as always, the Eevblog forum is a place to discuss it.

but Youtube is cool - or the Eevblog comm website. Catch you next time you.