A mystery teardown taken from Dave's mailbag submission shelf.
What will it be?
Forum: http://www.eevblog.com/forum/blog/eevblog-942-mystery-monday-teardown/'>http://www.eevblog.com/forum/blog/eevblog-942-mystery-monday-teardown/
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
EEVblog Amazon Store (Dave gets a cut):
http://astore.amazon.com/eevblogstore-20
T-Shirts: http://teespring.com/stores/eevblog
๐ Likecoin โ Coins for Likes: https://likecoin.pro/ @eevblog/dil9/hcq3
What will it be?
Forum: http://www.eevblog.com/forum/blog/eevblog-942-mystery-monday-teardown/'>http://www.eevblog.com/forum/blog/eevblog-942-mystery-monday-teardown/
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
EEVblog Amazon Store (Dave gets a cut):
http://astore.amazon.com/eevblogstore-20
T-Shirts: http://teespring.com/stores/eevblog
๐ Likecoin โ Coins for Likes: https://likecoin.pro/ @eevblog/dil9/hcq3
Hi Welcome to Mystery Monday or more precisely, Mystery Teardown Monday I've got a whole bunch of our mailbag stuff I've got in the mail bag for like little kind of weren't worthy of a two minute teardown. sort of. you know in Justified. More than that.
So I kept them on a shelf and there it's really overflowing. So I thought um, like every Monday for a while, hopefully I will just take an item at random from that shelf, a mystery item and tear it down at Whoa. Beer, You know, huge, extensive. You know, half-hour teardown.
But a little short thing. yes, I'll still do my Oh burger Monday when I get enough items and things like that. But anyway, what is the mystery item? Oh, let's have a look. It's the Dayton Bank the mega X Dayton Bank thank you very much I Normally I keep the notes of who sent this stuff in, but I don't actually have that.
So I believe we got this in a mail bag I Don't think I tore it down in the mail Bay hence why I put it up on the tear down on the shelf. So what this thing is I believe I Can't find any actual data on this module itself. but what? I believe it is and maybe it was in the original note in the mail bag. but I can't even find the original mailbag episode where this one was in.
So hopefully I haven't torn it down yet. So I don't have any data on this thing. Maybe there was some info in the original note in the mail bag? This one was sent in, but I can't actually find the mailbag episode it was in anyway. What? I Believe it is.
It comes from a company called where Are They Ah, ADP Guzelman in Germany Hi to all my German viewers and they're actually a gaming company they manufacture like Our Game in gambling machines or somesuch. And what? I Believe this is is a secure memory slash art processing module that's designed to hold the presumably the security keys or the encryption keys or whatever for the machine itself. and it's designed to better prevent physical tampering of this thing. So if you try and open this in it out, the encryption keys or whatever is encrypted inside this thing, then it's going to prevent you from doing that.
It's going to automatically erase the keys and everything else we're seeing this before in like those RF post terminal machines that you use at your local shopping center or service station or point-of-sale machines. They contain encrypted keys in them, and likewise, they're kept inside a secure tamper proof module like this. And of course, you could potentially just try and hack the thing through the external pins like this. but these are designed to do.
all the secure process in the encryption keys are kept in here. The process in the decription or whatever is all done inside this thing. So the theory goes that if you try and probe these pins, hack it in any way like that you're not going to get any useful data out of you have to physically hack into this thing, crack it open and try and get the encryption keys that way. but they're designed. If you crack this thing open, then the keys instantly are arrays themselves because they're held by battery-backed SRAM typically inside this thing so you know you opened up. Boom! The battery a discuses memory to the SRAM and one the keys are gone. So inside this thing, we expect to find some batteries. We expect to find some tamper proof things.
so if you try and drill through it or something like that, you know if you know exactly where to drill because hey, you could get one of these things, take it apart and then figure out exactly what points to drill in and then you can get yourself a good one with the keys in it and then know the drill through so it expect some sort of tamper proof mechanism inside this thing and battery back to SRAM and some processing and stuff like that. But the interesting thing will be to see how they've done the physical security because if you can't hack via the pins which is the whole concept of it, then you have to go through physically so this one's actually been opened whether or not I opened it previously or as supplied like that. So thanks to whoever sent this one in, so let's actually crack this sucker open and hopefully we can see inside. It looks like like I would have maybe expected in the world at shut or something like that, but they haven't actually done that.
They haven't done it. So we can actually get inside this thing. Someone's had a go at this, so let's know. Is it going to come apart? Yep, hi, hello.
So we've already. The keys are already gone, presumably uh-huh. What do we got? We've got a board. Just got a copper board on there.
Does that come out? ah, on the top as well. So I think this is going to be some sort of what's that? Oh, that's actually that's actually carbon. Um, put down onto the copper pad here and look. Tada.
They're all. yeah. look in the corners here. They've got carbon there as well.
and these match up with these dots here. So they're making electrical contact onto this ground plane on the back here. so we'll get a meter and we'll just confirm that. and I bet you that.
Yep, that is carbon. All right There we go. 10 ohms or whatever. and that one over there is conductive as well.
So yeah, they're connected through to this metal case here and the same on the other side. Is it? Yes, the same Here we go. So exactly the same. So there.
I'm So the first protection mechanism here is if you take off our one side of this like this. presumably there's electrical connection through there and it detects that you're actually removing the metal covers. So that's the first thing. So hang on.
Hi, hello, hello. So today we're in like Flynn Aha Look, you can see the pattern on there. Get the macro lens out and we'll have a closer look at that and got a contact there and bingo there's our battery. That's our battery there and it it pops out there. We go exactly the same security measure on the bottom side. So here we go. They've got the batteries in there. They're going to have them soldered directly on like that for higher reliability.
They've got two of them for redundancy presumably. And yep, there's the little contacts which go through to the pad there. Yep, on the other side there, there's our processor and we'll have a closer look. We've probably got some SRAM where the keys are held.
Nothing's Gaunt at all. So it kind of expected maybe to see something gunked in there like a physical protection. but the whole idea is once you remove these, it breaks the circuit. It might just be as simple as coming from the battery in series with maybe the there and they look like there's tracers in there like that.
So if you drill through, it's going to break those traces and bingo your SRAM presumably and that holds the keys inside. This thing will just erase itself and you've lost them. And Bingo there's our SRAM memory. These are our Samsung parts and our SEC could stand for us secure but I couldn't find any mention of our you know secure type application for these things in the datasheet for this so.
but anyway, these are our Km 68 R1 and 68 100s Rams and normally they work from my you know like five volt parts but they're actually designed for battery backup applications. Exactly what we are suspected here with the batteries in that they are retain their data down to two volts. So of course you know three volt lithium cell like this. you want it to work down to lower voltages so not only five volt parts and the system will work at 5 volt part, at 5 volts or to have a 5 watt processor and database and everything else.
But hey, you can still retain the data on them down to 2 volts and that's exactly what you need. And right next to the batteries here, there's a ancient look in part 26 week 1985 so I'm not sure what's going on there because a lot of parts elsewhere on the board and much later as I'll show you. But anyway, they are 45:43 let's say a real-time clock chip. So this is you know, fairly old.
our tech in here here we go. So here we go I Took in a 14th week 99 there by the looks of it so this looks like a 2000. Yep yep, six week out 1999 So 2000 Village. We've got ourselves an Atmel microcontroller here.
Old-school art 90s are 1200. Do they even still make that one? I'm here maybe. And also on the top side of the board here a max r69, one voltage supervisor, microprocessor supervisor so that would notify the processor when the powers removed and all that sort of jazz and look. So this HC 573 Jelly Bean Logic regulated A Yep, some more are 245 jelly beans stuff and there's our processor I can see the Motorola symbol but that's about all she wrote.
So all of our so all of our secure key process and everything else is done inside that baby presumably I'm yeah I'm not sure what the little at Mill Micro is doing there. Um, that's rather confusing. So yeah, these SRAM's that are used to. Why keep the security keys or whatever they try to I protect inside this thing? These are just basically regular SRAM's They're not our secure cryptographic SRAM's and other memory products which you can get these days. not sure key you can. You probably get them back when this was designed and manufactured, but they didn't bother to use those summer. Those like the proper secure chips and secure micros and stuff they will actually have like sometimes an extra security protection Hardware protection embedded inside the diet. They might have like a security mesh on top or something like that so you can't physically try and get through the chip.
Even if you could defeat all the other our security measures inside this thing, you still couldn't get through to the chip itself. You've got an extra layer of protection yet again, but this one doesn't have that. So let's find out what this puppy is. Ah, it's not gonna.
It's not gonna peel off nicely and it's got one of those silly, unreadable codes. so I'll have to look at that under the mantas and get back to you sir. Code: The oh yeah, there's something there. and there's nothing special about that micro at all.
Arm is just not the Shelf one. It doesn't contain any hardware security art measures on the Dyer anything else. It's not a a specific security processor or anything like that, which might be used in the more upmarket RF post terminals and things like or other really serious ones. So anyway, um, that just does all the processing and we're still unsure what that little micro there does.
Now you know, some sort of supervisory role or something like that? perhaps? Hmm. now let's take a look at the security cover. Hopefully you might have to watch this in. HD I Can't really see it very well on my camcorder LCD here.
but so you can see the traces on the PCB there. So it's a PCB with all these circular so like spiral traces on them. perhaps? Is it I'm not sure the exact pattern anyway. Um, it that looks like it's just one conductive pad.
but I Don't think it is because that wouldn't make sense. I think Yep, There we go. That is actually a zebra strip. There we go.
That's a better look that's actually a zebra strip that actually connects. well. It's yeah, it's not the elastomer type one, it's it's different. You'll notice that there's conductive traces on there which go over very fine and it basically connects all these traces in there.
There we go, Got four traces. and so these are just be loop traces. So that looks like we've got two separate loops there. Perhaps? And then these would likely we'll follow the traces on the board in a minute.
But my guess would be that these would be in series with the power line power trace going to those SRAM chips. So let's see if I'm right. All right, it's actually hard to trace these things. But anyway. um, these compares Go off to white transistors and through these resistors. Here, you can likely see that pad go off to these resistors. So all of this are stuff in here. These those diodes or transistors.
They could just be diodes. Are they? Because that's a common way to switch? Or at least some of them a common way to switch in. The power pins are from a battery backed up. SRAM You just do it through diodes.
One comes from the battery through a diode, another one goes via the main main power rail. So when the power rail fails, the other one, the other Dyer kicks in and powers it from the battery here. Anyway, Pin Eight over here. this is the power pin over here and I have actually confirmed we've got our buzzer on.
I have actually confirmed that that doesn't go through to the power of any of the other chips here. So I've actually checked that so they're not actually connected. So they are somehow breaking in to the power pins of these chips. as you'd expect.
Because that's the whole concept is that it loses the power. These are SRAM's so they're a volatile memory. If you remove the power band, they're gone. You can't recover them.
There's no residual anything in there that you can actually recover the keys from there, just simply lost. So yeah, all this stuff around here, um, seems. although I haven't figured out where the power actually gets back to over here yet. But yeah, it's definitely not connected directly through to the main power rail.
But one thing I did follow is these two pads on the left side. Here they actually go through if you note the location to that physical hole there. They actually go through to the two pads on the other side, so it looks like it's one big loop on the top and bottom side of this thing. So if you remove either the top side or the bottom side, it's one huge loop going through all of these traces on the board if you try and drill through this, if you physically remove it or anything like that, bingo, You're going to break the traces on there and that will just erase.
Remove power to the SRAM's here and god. Kizer Gonski And as for the ground plane on the other side here I think and those bumps? Um I Don't think that's actually our actual connection at all. They're just our grounding. They're just using that as an internal our ground shield.
Maybe it like it shorts out. You know if you try and drill through or something like that, some additional measure that you know it shorts out the power rail or does whatever. Something like that perhaps. but it doesn't look like there's actually any connection to forming a loop between, like the chassis or anything like that to actually detect it.
But yeah, I could be wrong. You'd have to look into the exact detail. but yeah I Think all the security measure is coming from these things. and if you want to know the the actual connection, it's not next to each other like this. it's alternate ones like that. So that's measuring about a hundred ohms there and it looks like we might have an additional security measure here. They've got one of these things which looks like a surface mount LED but they've got one top and bottom here. and no.
I've tried to light that puppy up and they aren't a LED so that looks like my some sort of maybe ambient light sensor. Whereas if you physically even if you have managed to somehow defeat all the loop protection and everything else here, you physically take it off and the light gets in to this thing then BAM that's going to erase it as well. So maybe um, yeah, the micro looks like it's a that's controlling all of the security measures for this thing. So yeah, this looks like it's implementing some sort of smart security solution in that micro handling all that so that you know it's a bit more advanced than just I Don't know, looping the power pins through the micro through the top and bottom of these things.
so it's a bit more advanced than that. So that's alright. So there you have it. There's a look at a security module for a gaming machine which does the processing that handles the encryption keys or something like that.
If anyone knows the exact details of this, please that leave it in the comments down below. But yeah, that's a rather primitive one compared to some of the more modern-day ones that actually as I said, have physical security features on the die. And there's our various specialist manufacturers of these chips designed for F Pasta and other high-security terminals that you know have to keep the encryption keys are secured from the factory actually on there on the physical micro themselves are with the building memory are they might have SRAM on there or in this case you know, fairly old-school I mean this thing's at least starts 16 years old, you know external SRAM memory like this, battery backup and you know they've gone to a fair amount of trouble with the Intelligent Micro in there to handle all the security and just a physical wire shield like that that connects over with all those are fine loot traces to try and prevent drill through so you know you shouldn't be able to hack these things through the external pins so they would have you know they would have you know this problem, maybe evens out standards for this in the gaming industry or whatever that actually define you know the ability to, you know, not hack these things through the pin so you'd have to, you know, go in physically to try and extract the keys or the data or whatever it is they're trying to protect. So there you go.
That's a rather interesting look inside a secure memory module and if you liked this new one, don't know if it'll last forever, but ah, I might keep it up fairly regularly. Just a smallish art teardown of a random mystery item from my very overflowing bench up there with oh my tear down stuff on it anyway like that sent in via mailbag and various other stuff. so if you like that please give it a big thumbs up. Boy it's a big thumb catch you next time you. .
got me thinking – you couldn't go through the pins – but you could phyyysically go through the pin sockets.
that'd get you inside the case and you could use a bum-hole scope camera to get a look around. man this all sounds so fun
Hello from Romania excelent ideea love it keep up this kind of videos
I know this is an old video, but I wonder if the Atmel is powered down when security is good, and perhaps the transistors in the security loop power it up when the security loop is broken and it's only job is to overwrite the keys before power to the memory chips is lost.
SEC is samsung electronics corp.
get one of them, x-ray that sucker, batteries? find the pins and send the exact same voltage there(im still 1/4 way watching the vid)
i wanna make a geared APN analog computer!
could you maybe talk about sigma dsp please? ๐
These are awesome !!
I DO NOT speak any German but according to google translate DATENBANK is German for DATABASE
My question has to do with a B&K Function Generator you purchased off E-Bay. I bought a BK3020 off E-Bay a while back and have been busy and just got around to using it,and guess what it does not work. I was trying to find the teardown of the one you bought,but have had no luck finding the video. Do you by chance know where I missed finding it at?
It says "Database" on the front. And the logo of the laughing sun is of an often used gambling company. You'll find that logo on slot machines and such.
Did they even have soic packages in 1985? I think that datecode is suspect.
i dont remember seeing that before in mailbag fwiw lol
Brilliant idea…More mystery things ))
I propose that the loops on the outer PCBs work like a transformer or even antennas with the outer cans and ground contacts serving as a Faraday cage so that no RF gets out. The Atmel drives one transformer winding/antenna and compares the feedback in the other one against factory-calibrated figures. Any mechanical breach or powerful enough electromagnetic field will upset that feedback and trigger the self-destruct.
When you add in the light sensors (possibly, just photodiodes) and the NTC somebody else spotted, you can tell they meant business.
Also, the idea of having RF noise pumped inside a Faraday cage has the nice side-effect that the entire box is now TEMPEST-ized, that is you cannot simply "listen" to what it does from the outside and somehow extract the keys from that activity. I'd be surprised if similar measures were not taken to protect against power analysis (i.e. either all encryption code is padded so that it draws the same amount of power regardless of operation OR all encryption code runs from the battery and power is drawn from the two connectors only to transfer the result).
It's a beautiful design and amazingly simple (and cheap) for how much protection it offers. To get into it, I noticed there isn't much protection around the connectors so I would go in (mechanically) through there and then through the plastic frame between the antenna PCB and the main one. Of course, RF-transparent tools would have to be used throughout. After establishing a tunnel to the via controlling the power circuit, it should be possible to short that line to the always on position and then proceed with complete disassembly and dumping of the SRAM contents.
On the difficulty scale, it's probably "impossible" for the casual DIY-er and "a good first project for the intern" for the NSA. Keep'em coming!
Well its wrintten on the module… "Nicht รffnen – Datenverlust…" ist for "Do not open! Dataloss, repairs only by manufacter"
let's say you were able to bypass those protection mechanisms, how would you extract the data?
"…keys are GONESKY!" LoL
I was wondering if that , was a type of Faraday Cage.
That was actually pretty interesting. Good video!
Relying on the data being lost simply from loss of power isn't great. Freeze the chips (liquid nitrogen is good for this) and you could bust into the device and get the data. I'd expect they would forcibly overwrite the data when a breach was detected, not just drop power to the chips.
SEC = Samsung Electronics Corporation
If that really is from 2000, it would have been one of the last slot machines with actual physical wheels and proprietary logic circuitry (that is not casino slot machines, but the ones found in European pubs and street corner gambling halls, with smaller bets and payouts). Today it is all touchscreens, with multiple games, and inside the machine would be an industrial PC. So the cartridge would perhaps not contain the full game, but only the winning tables, like what is the maximum bet, what is the average payout, and so on, because these things are tightly regulated and state supervised and these regulations would change frequently. So the customer (i.e. bar or gambling hall owner) would need to change his payouts to conform with the law, and instead of having to buy a new machine they send him an updated cartridge. But this technology does not exist anymore, today it's industrial PCs with the data contained on standard USB sticks or SD cards, with cryptographic methods applied. The thing in this video would probably contain little or no cryptography and rather rely on its physical security measures.
What's with the Hello World?
If you wanted to defeat the security of the SRAM memory, you can use a "Cold boot attack" or variation of it. Basically you cool down the SRAM chips with liquid nitrogen which slows down the bit decay of the SRAM chips once they have been turned off. You'd have about seconds to minutes to re power the chips and read them. This is assuming the chips are not actively wiped once turned off and are raw readable.
What a fascinating module, a great teardown subject. I like the Mystery Monday idea and would vote to keep it as a feature!