May
2022
Part 1: The hardware
Have you purchased something from a shop today? How about yesterday? Been to a restaurant lately? How about the cinema? In today's (nearly) cashless society, payment terminals (also known as card machines or card readers) can be found everywhere! From supermarkets and bars to market stalls and petrol stations; anywhere that monetary transactions can be made, you’ll usually find a payment terminal somewhere nearby.
Despite these devices being found everywhere in day-to-day life, not much is known about how they work, and for good reason (I’m looking at you exploit-craftin’ money-stealin’ ski-mask-wearin’ scallywags). But these mysterious black boxes piqued my interest, and I had to know more.
This series of blog posts will document my research into Ingenico payment terminals, including topics such as:
- How the device works
- How some of the device’s physical tamper protection mechanisms work
- The files and network protocols I’ve deconstructed and how I deconstructed them
- The tooling I’ve created to communicate with the device
- How I dumped the firmware off of the flash chip
This first post will cover:
- The device’s external features and internal components
- How the terminal protects itself using physical tamper protection mechanisms
Introduction
One of the most common payment terminals you can find in the UK is the Ingenico iPP350. You will probably recognise it.
 |
| Fig.1 - The main character of the story |
The iPP350 (an abbreviation of ‘Ingenico Pin Pad’) is part of a family of payment terminals manufactured by Ingenico that run on the Telium 2 operating system.
In terms of external physical features, the iPP350 is fairly simple:
 |  |
| Fig. 2 – Sunny side up | Fig. 3 – Sunny side down |
The function keys are used to navigate the terminal’s settings and open various menus (depending on what applications are installed). This terminal supports three methods of payment: Insert, contactless, and magstripe. The contactless method is supported by an optional module that can be installed under the removable cover on the underside of the device. Also included is a MicroSD port to expand the device’s memory, and SAM modules (Secure Access Modules).
Under the hood
Opening the terminal’s case reveals a single PCB:
 |  |
| Fig. 4 – Take note of the white covering… | Fig. 5 – The wonky sticker bugs me more than it should |
On the underside of the PCB (Fig. 5) is an Electro Magnetic Interference (EMI) shield, likely there to protect the components inside against interference from the contactless antennae. Removing this shield reveals the primary microcontroller, flash chip and ram chip.
Here’s a detailed diagram explaining all of the components:
 |  |
| Fig. 6 – Might be TOO detailed | Fig. 7 – To PCB? Or not to PCB? |
There is very little information online about the microcontroller (nicknamed “Thunder”), except that it contains an ARM9 architecture. Thunder comes in a Ball Grid Array (BGA) package and is manufactured by a company called MONEFT3X. The flash chip is a 128MB H27U1G8F2B in a 48 pin TSOP1 package and the RAM chip is an 8MB HY57V281620F in a 54 pin TSOP2 package. Both the flash and RAM chips are manufactured by a company called Hynix. Other important components present on this side of the PCB are an internal coin battery and a security enclosure for the credit card slot (we’ll talk more about this later). An assortment of test pads are scattered across the PCB, which I plan to explore in a future blog post.
Peeling back the white cover on the PCB reveals a number of additional components, the most important of which is the secondary microcontroller (nicknamed “Booster”). This microcontroller runs on an ARM7 architecture and is responsible for handling all cryptographic functions that the terminal needs to carry out (such as verifying the signatures of installed applications). Booster also holds all sensitive information found on the device such as private keys and passwords.
 |
| Fig. 8 -Booster |
Now that we’ve had an overview of the device’s external and internal components, let's take a closer look at some of the more interesting parts of the device hardware…
Tamper? I hardly know ‘er!
When someone pays for something with a credit or debit card, they are trusting that the system they are using will protect them against dangers such as credit card and bank account theft. Therefore, it is important that payment terminals operate in exactly the way they are expected to once they’ve left the factory. But what if an attacker opens up one of these devices, changes something, then closes it back up again? How would you know something was different about it?
The first screen to appear when you plug in an iPP350 (after the obnoxiously loud startup beep) is blue and displays a smiley face, or in my case a sad face.
 |
| Fig. 09 - 🙁 |
No, I haven’t accidentally purchased a Tamagotchi, and no, I haven’t forgotten to feed him. This face indicates whether or not the device has been tampered with. The device still boots into the Telium 2 operating system, but will constantly flash one of two warnings depending on the current physical state of the device: one stating that the device is Unauthorized, and the other stating Alert irruption!!! Sounds angry right? Maybe I have forgotten to feed him…
 |  |
| Fig. 10 – Scary | Fig. 11 – Scarier |
Irruption
noun /ɪˈrʌpʃn/ /ɪˈrʌpʃn/
1. the act of entering or appearing somewhere suddenly and with a lot of force
The assassination still feels like a primal catastrophe—an irruption of inexplicable evil as horrifying as any supernatural bogeyman.
Ross Douthat
Tamper protection mechanisms are mechanisms for protecting a device against tampering (the clue is in the name). If someone attempts to gain access to the terminal’s internal components and interrupts one or more of these protection mechanisms, the device detects this as an ongoing irruption event. It then proceeds to wipe any sensitive areas containing data such as private keys from the device, and displays the Alert irruption!!! warning message. The terminal is able to detect irruption events, even if the device is not powered, thanks to the internal coin battery.
Once an irruption event is detected and the sensitive data on the terminal has been wiped, the terminal can no longer be used to process transactions. The only way that the terminal can be put back in working order is to return it to Ingenico, at which point they will reset the device and replace the secret keys.
If an irruption event occurs, but the tamper protection mechanisms are then restored, the terminal no longer registers that an irruption event is occurring. However, the secret areas of the device are still wiped, and the device is unable to operate fully without this. In this scenario the device displays the Unauthorized warning message.
So, what sort of tamper protection mechanisms does the iPP350 have?
Tamper Protection Mechanism 1: Keypad
If we look at where the keypad sits on the PCB, we can see that the contacts underneath each key come in the form of two concentric rings. By bridging the connection between the inner and outer rings, the device registers a button press. Remember that white sticker covering the PCB we saw earlier? The underside of that is covered in round metallic discs which are used to bridge the connections.
 |  |  |
| Fig. 12 – These rubber keys… | Fig. 13 – …press down on these rings… | Fig. 14 – …by using these discs |
However, you’ll notice that there are eight other contacts that aren’t covered by a key (see Fig. 15 below). These contacts are continuously pushed down by rubber points on the keypad all the while the PCB is contained inside the device casing. When all tamper contacts are pressed down, there are two bridges made: one between contacts 1, 2, and 8, and the other between contacts 3, 7, and 6 (see Fig 16 below).
 |  |
| Fig. 15 – The third outer rings are ground contacts. | Fig. 16 – Right foot green |
As soon as an attempt is made to open the device casing by removing the screws, the pressure that is applied to these tamper contacts is decreased, severing the connection between the inner and outer tamper contact rings.
Contacts 4 and 5 are not linked to the other tamper contacts, but are instead connected to each other through a connection across the white covering.
If you look closely at the underside of the white covering (and scratch away at the black part like a lottery ticket) you will see that the entire sticker is covered in a single trace that weaves in and out like a maze. This is so that if an attacker attempts to access the internals of the device by drilling through or cutting away at this covering, the terminal will detect that the connection between contacts 4 and 5 has been severed and will wipe the sensitive data, even if pressure to the tamper contacts continues to be applied.
 |
| Fig. 17 – Notice the LABYRINTHIAN trace, it looks like the high score on Snake |
When I received the iPP350 from eBay, the Unauthorized warning was already present, meaning that an irruption event had previously occurred on the device (or that someone had wiped the secret areas). I removed the PCB from the case, after which the Alert irruption!!! message then appeared. After soldering a bridge between the inner and outer rings of all eight tamper protection contacts, the device no longer recognised an ongoing irruption event, and returned to displaying the Unauthorized message.
 |
| Fig. 18 – The PCB outside of the case but only showing the Unauthorized message |
Tamper Protection Mechanism 2: Card slot
The second tamper protection mechanism is designed to protect the credit card slot. It stands to reason that this part of the terminal should get its own tamper protection mechanism, as it’s the component that directly communicates with a user’s credit card. If a malicious actor was able to access this part of the device without consequence, they may be able to intercept signals between the credit card and the terminal. To combat this, the internal card reader mechanism is enclosed by a thin green plastic shroud (see Fig. 19).
 |
| Fig. 19 – The lean green card-protecting enclosure |
This shroud has 6 tabs that are passed through holes to the underside of the PCB and soldered down (Fig. 20). Contact points 3b and 4b are grounds, as are the thin lines around each of the other contact points. But what’s so protective about a thin piece of plastic I hear you ask? The fact that it uses the same mechanism as the white cover from earlier: a long winding trace that zig-zags all over the entire underside of the enclosure (see Fig. 21). If the enclosure gets cut or punctured and the trace is disrupted, then an irruption event is triggered and the secrets get wiped.
 |  |
| Fig. 20 – The six contact points | Fig. 21 – If you look really closely you can see the minotaur |
With the enclosure removed from the PCB, contact points 1 and 2 share continuity, as do points 5 and 6. Points 3a and 4a do not share continuity with each other, or any of the other points (see Fig. 22).
On the enclosure, contacts 1 and 6 share continuity, as do 2 and 3a, and 4a and 5. This means that when the enclosure is soldered to the PCB, the circuit is complete.
 |
| Fig. 22 – Soldering the enclosure to the PCB completes the circuit |
Therefore, by wiring points 3a and 4a together, the irruption event can be stopped even when the enclosure is completely removed from the PCB.
 |  |
| Fig. 23 – Enclosure removed, device angry | Fig. 24 – Points 3a and 4a connected with a wire, no irruption |
So, there you have it folks, a quick intro to the Ingenico iPP350 payment terminal hardware, as well as a rundown of how the device is protected from physical tampering against malicious ne’er-do-wells. We’ve also learnt a new word today: irruption. Tell your friends.
Stay tuned for the sequel to this post, where we’ll look at the different modes that the iPP350 can run in, how they work, and how to interact with them (this isn’t going to be one of those things where the sequel is not as good as the first one, this will be like The Dark Knight compared to Batman Begins).
