Regular Hackaday readers may recall that a little less than a year ago, I had the opportunity to explore a shuttered Toys “R” Us before the new owners gutted the building. Despite playing host to the customary fixture liquidation sale that takes place during the last death throes of such an establishment, this particular location was notable because of how much stuff was left behind. It was now the responsibility of the new owners to deal with all the detritus of a failed retail giant, from the security camera DVRs and point of sale systems to the boxes of employee medical records tucked away in a back office.
The resulting article and accompanying YouTube video were quite popular, and the revelation that employee information including copies of social security cards and driver’s licenses were left behind even secured Hackaday and yours truly a mention in the New York Post. As a result of the media attention, it was revealed that the management teams of several other stores were similarly derelict in their duty to properly dispose of Toys “R” Us equipment and documents.
Ironically, I too have been somewhat derelict in my duty to the good readers of Hackaday. I liberated several carloads worth of equipment from Geoffrey’s fallen castle with every intention of doing a series of teardowns on them, but it’s been nine months and I’ve got nothing to show for it. You could have a baby in that amount of time. Which, incidentally, I did. Perhaps that accounts for the reshuffling of priorities, but I don’t want to make excuses. You deserve better than that.
So without further ado, I present the first piece of hardware from my Toys “R” Us expedition: the VeriFone MX 925CTLS. This is a fairly modern payment terminal with all the bells and whistles you’d expect, such as support for NFC and EMV chip cards. There’s a good chance that you’ve seen one of these, or at least something very similar, while checking out at a retail chain. So if you’ve ever wondered what’s inside that machine that was swallowing up your debit card, let’s find out.
Self-Destruct Sequence Initiated
The unfortunate reality is that there are some very clever people out there who are actively looking to “crack” devices like the VeriFone MX 925CTLS. We’re all aware of card “skimmers” which mount to the outside of a payment terminal, but from a criminal’s standpoint, the big weakness with such devices is that you can just yank the thing off. The ideal solution is to integrate the skimmer hardware directly into the terminal itself so it can’t be seen from the outside. To prevent that sort of tampering, these devices utilize various tricks to deactivate themselves in the event that somebody tries to crack open the case.
If the back panel of the device is removed, then this small PCB becomes disconnected from the main board, and the VeriFone MX 925CTLS knows it’s been opened up. That’s easy enough. But if you look closer, there’s also a reed switch and pads on the board that correspond to the appropriate features on the inside of the enclosure.
So even if somebody figured out how to open the case without breaking the electrical connection (such as with some kind of extension cable), those features would still trip once physically separated from the rest of the device. But before you even got that far, the white plunger attached to one of the back panel screws would have lifted off its pad on the main PCB, alerting the system to the fact somebody was attempting to open it.
But what about simply drilling through this little board to access the electronics underneath? That’s where all those traces on the PCB come in. Drilling through the board would invariably break a trace, and effectively be the same as if you triggered the tamper-evident systems normally.
If we count the physical disconnection of this board, that’s five different ways for the VeriFone MX 925CTLS to detect it has been tampered with. Even still, I wouldn’t be surprised if I missed a couple. Feel free to leave a comment if you know any other tricks that are commonly used, or even if you see one here that slipped by me.
Built for Purpose
In a way, I was glad that the anti-tamper system in the VeriFone MX 925CTLS rendered it a paperweight upon disassembly. It saved me from having to decide if I should bother reassembling it or not. Since the device had either scrambled its internal storage, or at least activated some kind of software flag that would prevent it from being used again, I could strip it for parts without the normal pangs of guilt.
Unfortunately, there isn’t a whole lot in here that can be used for much else. Actually, there’s almost nothing that can be reused. A device like this is awash in custom components that you can’t get datasheets for, and even if you could, aren’t exactly the sort of thing you could use in your average DIY project. But we can still marvel at the engineering that went into building it.
Of particular note are the stereo speakers and 3.5 mm headphone jack on the right side of the PCB, no doubt accessibility features for those with difficulty seeing. Between the headphone jack and the central RF shield, you can see the pad that corresponds to the anti-tamper plunger mentioned previously. To the left of the RF shield is a chunky 3 V lithium battery used to keep the volatile storage powered up. Even farther to the left, you can see the thick metal shield that covers the actual magnetic stripe reader and its ribbon cable, no doubt another method of protecting the device from an attacker attempting to get access to sensitive data by drilling through the case.
The main component under the RF shield is a VeriFone 2102COC, a proprietary processor of some type. Its paired with a Samsung K4X1G323PE, a 128 MB DDR RAM module that’s usually found in mobile phones. Next to that is a Toshiba TC58NYG1S3EBAI5 providing 250 MB of EEPROM storage. Underneath another RF shield on the back of the board is an NXP PN512 that handles the terminal’s 13.56 MHz touchless payment communications.
There’s also a few mystery chips in the mix. These devices have clearly legible numbers, and searching through the usual suppliers gives me a link to buy them and even a report on current stock levels; but no datasheet and in many cases not even a description of what it does. This leads me to believe they are probably some kind of cryptographic coprocessors that us mere mortals aren’t allowed to experiment with.
Built Like a Tank, or an Apache
Perhaps the most impressive thing about the VeriFone MX 925CTLS is how solid it is. The bottom half of the polycarbonate enclosure twists in much the same way that a brick doesn’t. Everything inside is built to the highest order, and it’s clear that a lot of thought went into building these things to last as long as possible in a fairly hostile environment. The average customer is trying to complete their transaction as quickly as possible, so expecting anything less than a daily life punctuated by poking and yanking is wishful thinking.
As the keypad is likely to get the most abuse during normal usage, it will probably come as no surprise to find that it’s an exceptionally heavy duty component. In fact, the design of the keypad is suspiciously similar to what I pulled out of the data entry keyboard of an AH-64A Apache last year.
Both keypads appear to be made of a very similar material, and feature integrated springs-loaded plungers that provide a phenomenal “clicky” response. Try as I might, I couldn’t find any markings on either keypad which would confirm that they actually come from the same manufacturer, but we can dream.
An Academic Experience
If you’ve been following my previous teardowns, you’ll know that I often make a point of identifying parts that could be worth salvaging for future projects. But in the case of the VeriFone MX 925CTLS, I have to admit there doesn’t seem to be much of anything worth keeping.
Personally, the component I had the highest hopes for was the smart card reader. While the rest of the world is well accustomed to this technology, here in the United States, it’s still a relatively new addition to our daily lives. I was very curious to see what the inside of one of these readers would look like, and fantasised about it potentially being some kind of I2C or SPI device that could be extracted from the terminal. Unfortunately, the reader is nothing more than a block of plastic with some flexible fingers that push against the chip.
While there was nothing of particular material use from this device, it was still an illuminating look inside a piece of equipment that’s part of daily life for most of us. If you ever have the opportunity to take apart something like this, don’t pass it up. You might not add any parts to your bin, but you certainly won’t come away empty handed either.