Author Topic: EEVblog #942 - Mystery Monday Teardown  (Read 6478 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblog

  • Administrator
  • *****
  • Posts: 30304
  • Country: au
    • EEVblog
EEVblog #942 - Mystery Monday Teardown
« on: November 14, 2016, 08:56:43 am »
A mystery teardown taken from Dave's mailbag submission shelf.
What will it be?

 

Online daqq

  • Super Contributor
  • ***
  • Posts: 1660
  • Country: sk
    • My site
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #1 on: November 14, 2016, 09:33:00 am »
Thanks for the teardown Dave. The photodiode was a nice touch. They probably wanted the device to be reusable once the batteries died, so they didn't pot it.

A while ago I've linked to a similar device, if more advanced:

https://www.eevblog.com/forum/reviews/encryption-system-teardown-nice-pics-of-antitamper-methods/
Believe it or not, pointy haired people do exist!
+++Divide By Cucumber Error. Please Reinstall Universe And Reboot +++
 

Offline Hole

  • Contributor
  • Posts: 30
  • Country: de
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #2 on: November 14, 2016, 06:16:28 pm »
Gauselmann (or adp Gauselmann) is one of the very bigger player in Germanys government controled money gambling ecosystem of gambling maschines hanging around in pubs. They come from an "small" family owned shack slowly raising into a big player expanding in Europe. 2 Mrd. Euro business volume/year, mostly noticable by their tradename "Merkur".

There are a lot of stories floating around about manipulations of these gambling maschines, not limited only to adp maschines. Use of piezo igniters, secret button sequences or modified ROMs. Build in by manufacturers to avoid taxes (there were some law cases and heavy donations to political partys...) or pub owners, found by enthusiastic device hackers (or leaked?). Travelling groups and "unknown strangers" that can empty these maschines in seconds. Or some software you can buy that predicts the outcome of the next game. Basicly everything this type of bussiness offers...
 

Offline Hole

  • Contributor
  • Posts: 30
  • Country: de
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #3 on: November 14, 2016, 08:28:38 pm »
Addendum. With some rumsurfen I found some instructions and details on how to defeat this security mechanism.

Its quite simple: open the box on one side by bending the tin box. External power can by supplied to a short trace than visible, defeating all the security.  :-DD

Bridging the four pads and removing the photodiode and external power can be removed.  :-DD :-DD

The part at https://youtu.be/IpdJEo9r-HQ?t=528 is the "Timekeeper" of the gambling machine, limiting its usage time by law (as far as I understood).
« Last Edit: November 14, 2016, 08:58:07 pm by Hole »
 

Offline elgonzo

  • Supporter
  • ****
  • Posts: 690
  • Country: 00
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #4 on: November 15, 2016, 01:23:26 pm »
Just a side note:
SEC on the SRAM ICs does not stand for "secure" or something similar.
It is simply the manufacturer: Samsung Electronics Co. Korea.
Like the old 3-star logo marking, Samsung does not use the "SEC Korea" marking anymore, i guess.
 

Offline tigrou

  • Contributor
  • Posts: 22
  • Country: be
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #5 on: November 15, 2016, 07:10:46 pm »
What is the exact purpose of the device ?

To prevent dumping/tampering a separate encrypted ROM ? (which is decrypted on the fly by the device, using some private encryption keys) ?
Or is the box the ROM itself (along with some SRAM holding the keys)

EDIT : i found another teardown video here :

Unfortunately this is in German
« Last Edit: November 15, 2016, 07:17:02 pm by tigrou »
 

Offline Hole

  • Contributor
  • Posts: 30
  • Country: de
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #6 on: November 15, 2016, 07:27:36 pm »
The german gouvernment regulates by law the usage and numbers of gambling maschines in pubs. For example the winning and losing rates are limited by amount and time, it is only legal to lose 80 € per hour and win a maximum of 400 € per hour (with a lot of more rules).

The PTB (Physikalisch-Technische Bundesanstalt, something like NIST in USA) has to verify that the maschines obey the law every two years. So there must be a way to make it tamper proof that Joe-average-criminal-pub-owner can't fuck with the maschines and addicted useres.
 

Offline Brumby

  • Supporter
  • ****
  • Posts: 9499
  • Country: au
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #7 on: November 16, 2016, 04:54:40 am »
Not sure what it is these days, but in NSW the regulations on poker machines required a minimum 80% return to the punter.

This was calculated by taking every combination and adding up the payouts and compare that to the cost of playing that number of combinations.  For example if you had a 4 reel machine with 20 symbols per reel, then you would have 20 x 20 x 20 x 20 = 160,000 combinations at $1 per single row play, the machine would have to return (on a statistical basis) $128,000 from the $160,000 put in.

Of course, in the real world.......
 

Offline Red Squirrel

  • Super Contributor
  • ***
  • Posts: 2366
  • Country: ca
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #8 on: November 16, 2016, 05:43:21 am »
Guessing once these are in service they arn't meant to lose power for extended time? I imagine those cells would not last very long running the MCU and whole shebang, maybe a year?  The fact that nothing is potted tells me it might actually be meant to be easy to open too, as a service technician you could open it to change the cells for example then reprogram the key.

Those type of cells are incredible though, similar to what is in Nintendo cartridges to hold save data, and nearly 30 years later, they still work!
 

Online blueskull

  • Supporter
  • ****
  • Posts: 12672
  • Country: cn
  • Power Electronics Guy
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #9 on: November 16, 2016, 05:46:08 am »
Like the old 3-star logo marking, Samsung does not use the "SEC Korea" marking anymore, i guess.

As a side note, Samsung literally means 3-star in Korean, and the corresponding Hanja means the same in Chinese.
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 10358
  • Country: 00
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #10 on: November 16, 2016, 07:09:46 am »
The fact that nothing is potted tells me it might actually be meant to be easy to open too, as a service technician you could open it to change the cells for example then reprogram the key.

Yep. I imagine it's designed to be easily reprogrammed/re-used.
 

Offline SAI_Peregrinus

  • Contributor
  • Posts: 23
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #11 on: November 17, 2016, 02:18:34 am »
If you're interested in tamper-resistant hardware, watch Chris Tarnovsky's DEFCON talks:



He has hacked multiple types of smart cards and trusted platform modules using a Focused Ion Beam workstation (electron microscope).

There is no such thing as tamper-proof, just tamper resistant. A sufficiently skilled and determined attacker (with enough money) can get through anything.
 

Online blueskull

  • Supporter
  • ****
  • Posts: 12672
  • Country: cn
  • Power Electronics Guy
Re: EEVblog #942 - Mystery Monday Teardown
« Reply #12 on: November 17, 2016, 02:35:24 am »
He has hacked multiple types of smart cards and trusted platform modules using a Focused Ion Beam workstation (electron microscope).

That's actually a common technique. How do you think companies clone MCUs with read fuse blown? They use FIB to reconstruct blown fuse!
Many universities will allow outsiders to use their analytical tools for a charge, so getting access to a FIB or dual beam station is not hard at all.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf