Verifone Vx570 Payment Terminal Teardown

You better enjoy this Instructable, It cost me a working payment terminal! I’ll explain why later on.

I was meandering around at the local flea market looking for something interesting to hack apart, when my eyes beset upon an unearthly beauty not many get to see: a hand held payment terminal. Not only have I been looking for something with a stripe reader in it, but also a thermal printer. Those objectives paled in comparison to actually having the opportunity to hack up some tight financial equipment. I’ve always wondered what truly secure electronics looked like and what hardware based security mesures were taken. Finally I have my answer, and so will you!

Here’s a quick video of the teardown and my initial thoughts on some of the chips functions.



Here  and here have good introductions on how data is actually stored on magnetic stripe cards. We won’t be focusing on that level so much, more so one the chip and data protocol levels. I’ll be making another Instructable on how to directly decipher information from magnetic read heads, which will be linked here when it’s done.

Protection circuitry:
          In addition to the mystery chip, there was a wonderful switch hiding behind the spring loaded display. When taken apart, the lcd gets pushed out, and opens said switch. I believe as soon as that switch gets opened, a bit gets flipped somewhere and the device goes into lockout mode. I plan on analysing the on board communications when it starts up to see If there’s a way of forcing the device out of lockout. If I have any success, I’ll make a new Instructable and link to it here. What really sucks is that I didn't do any packet analysis or certificate spoofing before it died. It would have been nice to upload the cap files so people could identify the patterns while...uh...having coffee. If you know of a crusty old forum with some good information on the subject, let me know in the comments and I'll link it here.

For those of you how don’t want to use advanced image enhancing software to determine the various chip names from the video, I’ve included a list and basic descriptions.

Samsung s3c2410al-20  
                    200mhz CPU SoC

cy62177dv30ll 
                    32mbit SRAM

mrd531b   Triple Channel F2F Decoder IC
                    Used to decode the data coming from the magnetic head. Take a look at the diagram I got from the data sheet. As you can see, the chip handles the driving of the magnetic heads and everything.


8007b_c3   Double multiprotocol IC card interface
                    Appears to communicate with smart cards using witchcraft, at least that’s what I can figure out from its datasheet. It’s very vague as to how and what it communicates with.

TDA8020HL   Dual IC card interface
                    Like the previous witchcraft chip, except it communicates specifically through I2C. That makes me think that these 2 ICs are probably communicating through I2C and serving the same purpose.

AX88772   USB2.0 to 10/100M Fast Ethernet Controller
                    Does what it says on the tin. Appears to connect via the onboard 4 port hub

TUSB2046B   4 Port USB Hub
                    Also does what it says on the tin. If my machine were still alive, I would have liked to see what communications the terminal allows via USB. It might even be possible to emulate another network interface via the USB port and pseudo-non-intrusively log packets.

verifone 08233-01-r
                    The first person to identify what this mystery chip actually does will be 20% cooler. Not only are there lots of circuit traces on the peculiar circuit board, but there’s also graphite traces surrounding the riser. When in doubt, guess security. It might be monitoring RF noise for odd signals. It’s not a coincidence that it’s covering all of the major processing circuitry.

If you have any questions or suggestions on where to go next with this device, send an email to my gmail account, jerzmacow.