EEVblog Electronics Community Forum
EEVblog => EEVblog Specific => Topic started by: EEVblog on November 14, 2016, 08:56:43 am
-
A mystery teardown taken from Dave's mailbag submission shelf.
What will it be?
https://www.youtube.com/watch?v=IpdJEo9r-HQ (https://www.youtube.com/watch?v=IpdJEo9r-HQ)
-
Thanks for the teardown Dave. The photodiode was a nice touch. They probably wanted the device to be reusable once the batteries died, so they didn't pot it.
A while ago I've linked to a similar device, if more advanced:
https://www.eevblog.com/forum/reviews/encryption-system-teardown-nice-pics-of-antitamper-methods/ (https://www.eevblog.com/forum/reviews/encryption-system-teardown-nice-pics-of-antitamper-methods/)
-
Gauselmann (or adp Gauselmann) is one of the very bigger player in Germanys government controled money gambling ecosystem of gambling maschines hanging around in pubs. They come from an "small" family owned shack slowly raising into a big player expanding in Europe. 2 Mrd. Euro business volume/year, mostly noticable by their tradename "Merkur".
There are a lot of stories floating around about manipulations of these gambling maschines, not limited only to adp maschines. Use of piezo igniters, secret button sequences or modified ROMs. Build in by manufacturers to avoid taxes (there were some law cases and heavy donations to political partys...) or pub owners, found by enthusiastic device hackers (or leaked?). Travelling groups and "unknown strangers" that can empty these maschines in seconds. Or some software you can buy that predicts the outcome of the next game. Basicly everything this type of bussiness offers...
-
Addendum. With some rumsurfen I found some instructions and details on how to defeat this security mechanism.
Its quite simple: open the box on one side by bending the tin box. External power can by supplied to a short trace than visible, defeating all the security. :-DD
Bridging the four pads and removing the photodiode and external power can be removed. :-DD :-DD
The part at https://youtu.be/IpdJEo9r-HQ?t=528 is the "Timekeeper" of the gambling machine, limiting its usage time by law (as far as I understood).
-
Just a side note:
SEC on the SRAM ICs does not stand for "secure" or something similar.
It is simply the manufacturer: Samsung Electronics Co. Korea.
Like the old 3-star logo marking, Samsung does not use the "SEC Korea" marking anymore, i guess.
-
What is the exact purpose of the device ?
To prevent dumping/tampering a separate encrypted ROM ? (which is decrypted on the fly by the device, using some private encryption keys) ?
Or is the box the ROM itself (along with some SRAM holding the keys)
EDIT : i found another teardown video here :
https://www.youtube.com/watch?v=JdgPxkUl99c (https://www.youtube.com/watch?v=JdgPxkUl99c)
Unfortunately this is in German
-
The german gouvernment regulates by law the usage and numbers of gambling maschines in pubs. For example the winning and losing rates are limited by amount and time, it is only legal to lose 80 € per hour and win a maximum of 400 € per hour (with a lot of more rules).
The PTB (Physikalisch-Technische Bundesanstalt, something like NIST in USA) has to verify that the maschines obey the law every two years. So there must be a way to make it tamper proof that Joe-average-criminal-pub-owner can't fuck with the maschines and addicted useres.
-
Not sure what it is these days, but in NSW the regulations on poker machines required a minimum 80% return to the punter.
This was calculated by taking every combination and adding up the payouts and compare that to the cost of playing that number of combinations. For example if you had a 4 reel machine with 20 symbols per reel, then you would have 20 x 20 x 20 x 20 = 160,000 combinations at $1 per single row play, the machine would have to return (on a statistical basis) $128,000 from the $160,000 put in.
Of course, in the real world.......
-
Guessing once these are in service they arn't meant to lose power for extended time? I imagine those cells would not last very long running the MCU and whole shebang, maybe a year? The fact that nothing is potted tells me it might actually be meant to be easy to open too, as a service technician you could open it to change the cells for example then reprogram the key.
Those type of cells are incredible though, similar to what is in Nintendo cartridges to hold save data, and nearly 30 years later, they still work!
-
The fact that nothing is potted tells me it might actually be meant to be easy to open too, as a service technician you could open it to change the cells for example then reprogram the key.
Yep. I imagine it's designed to be easily reprogrammed/re-used.
-
If you're interested in tamper-resistant hardware, watch Chris Tarnovsky's DEFCON talks:
https://www.youtube.com/watch?v=w7PT0nrK2BE (https://www.youtube.com/watch?v=w7PT0nrK2BE)
https://www.youtube.com/watch?v=h-hohCfo4LA (https://www.youtube.com/watch?v=h-hohCfo4LA)
He has hacked multiple types of smart cards and trusted platform modules using a Focused Ion Beam workstation (electron microscope).
There is no such thing as tamper-proof, just tamper resistant. A sufficiently skilled and determined attacker (with enough money) can get through anything.