Teardown: VeriFone MX 925CTLS Payment Terminal

Regular Hackaday readers may recall that a little less than a year ago, I had the opportunity to explore a shuttered Toys “R” Us before the new owners gutted the building. Despite playing host to the customary fixture liquidation sale that takes place during the last death throes of such an establishment, this particular location was notable because of how much stuff was left behind. It was now the responsibility of the new owners to deal with all the detritus of a failed retail giant, from the security camera DVRs and point of sale systems to the boxes of employee medical records tucked away in a back office.

Clipping from New York Post. September 24th, 2018.

The resulting article and accompanying YouTube video were quite popular, and the revelation that employee information including copies of social security cards and driver’s licenses were left behind even secured Hackaday and yours truly a mention in the New York Post. As a result of the media attention, it was revealed that the management teams of several other stores were similarly derelict in their duty to properly dispose of Toys “R” Us equipment and documents.

Ironically, I too have been somewhat derelict in my duty to the good readers of Hackaday. I liberated several carloads worth of equipment from Geoffrey’s fallen castle with every intention of doing a series of teardowns on them, but it’s been nine months and I’ve got nothing to show for it. You could have a baby in that amount of time. Which, incidentally, I did. Perhaps that accounts for the reshuffling of priorities, but I don’t want to make excuses. You deserve better than that.

So without further ado, I present the first piece of hardware from my Toys “R” Us expedition: the VeriFone MX 925CTLS. This is a fairly modern payment terminal with all the bells and whistles you’d expect, such as support for NFC and EMV chip cards. There’s a good chance that you’ve seen one of these, or at least something very similar, while checking out at a retail chain. So if you’ve ever wondered what’s inside that machine that was swallowing up your debit card, let’s find out.

Self-Destruct Sequence Initiated

The unfortunate reality is that there are some very clever people out there who are actively looking to “crack” devices like the VeriFone MX 925CTLS. We’re all aware of card “skimmers” which mount to the outside of a payment terminal, but from a criminal’s standpoint, the big weakness with such devices is that you can just yank the thing off. The ideal solution is to integrate the skimmer hardware directly into the terminal itself so it can’t be seen from the outside. To prevent that sort of tampering, these devices utilize various tricks to deactivate themselves in the event that somebody tries to crack open the case.

If the back panel of the device is removed, then this small PCB becomes disconnected from the main board, and the VeriFone MX 925CTLS knows it’s been opened up. That’s easy enough. But if you look closer, there’s also a reed switch and pads on the board that correspond to the appropriate features on the inside of the enclosure.

So even if somebody figured out how to open the case without breaking the electrical connection (such as with some kind of extension cable), those features would still trip once physically separated from the rest of the device. But before you even got that far, the white plunger attached to one of the back panel screws would have lifted off its pad on the main PCB, alerting the system to the fact somebody was attempting to open it.

But what about simply drilling through this little board to access the electronics underneath? That’s where all those traces on the PCB come in. Drilling through the board would invariably break a trace, and effectively be the same as if you triggered the tamper-evident systems normally.

If we count the physical disconnection of this board, that’s five different ways for the VeriFone MX 925CTLS to detect it has been tampered with. Even still, I wouldn’t be surprised if I missed a couple. Feel free to leave a comment if you know any other tricks that are commonly used, or even if you see one here that slipped by me.

Built for Purpose

In a way, I was glad that the anti-tamper system in the VeriFone MX 925CTLS rendered it a paperweight upon disassembly. It saved me from having to decide if I should bother reassembling it or not. Since the device had either scrambled its internal storage or activated some kind of software flag that would prevent it from being used again, I could strip it for parts without the normal pangs of guilt.

Unfortunately, there isn’t a whole lot in here that can be used for much else. Actually, there’s almost nothing that can be reused. A device like this is awash in custom components that you can’t get datasheets for, and even if you could, aren’t exactly the sort of thing you could use in your average DIY project. But we can still marvel at the engineering that went into building it.

Of particular note are the stereo speakers and 3.5 mm headphone jack on the right side of the PCB, no doubt accessibility features for those with difficulty seeing. Between the headphone jack and the central RF shield, you can see the pad that corresponds to the anti-tamper plunger mentioned previously. To the left of the RF shield is a chunky 3 V lithium battery used to keep the volatile storage powered up. Even farther to the left, you can see the thick metal shield that covers the actual magnetic stripe reader and its ribbon cable, no doubt another method of protecting the device from an attacker attempting to get access to sensitive data by drilling through the case.

The main component under the RF shield is a VeriFone 2102COC, a proprietary processor of some type. Its paired with a Samsung K4X1G323PE, a 128 MB DDR RAM module that’s usually found in mobile phones. Next to that is a Toshiba TC58NYG1S3EBAI5 providing 250 MB of EEPROM storage. Underneath another RF shield on the back of the board is an NXP PN512 that handles the terminal’s 13.56 MHz touchless payment communications.

There’s also a few mystery chips in the mix. These devices have clearly legible numbers, and searching through the usual suppliers gives me a link to buy them and even a report on current stock levels; but no datasheet and in many cases not even a description of what it does. This leads me to believe they are probably some kind of cryptographic coprocessors that us mere mortals aren’t allowed to experiment with.

Built Like a Tank, or an Apache

Perhaps the most impressive thing about the VeriFone MX 925CTLS is how solid it is. The bottom half of the polycarbonate enclosure twists in much the same way that a brick doesn’t. Everything inside is built to the highest order, and it’s clear that a lot of thought went into building these things to last as long as possible in a fairly hostile environment. The average customer is trying to complete their transaction as quickly as possible, so expecting anything less than a daily life punctuated by poking and yanking is wishful thinking.

As the keypad is likely to get the most abuse during normal usage, it will probably come as no surprise to find that it’s an exceptionally heavy duty component. In fact, the design of the keypad is suspiciously similar to what I pulled out of the data entry keyboard of an AH-64A Apache last year.

Both keypads appear to be made of a very similar material, and feature integrated spring-loaded plungers that provide a phenomenal “clicky” response. Try as I might, I couldn’t find any markings on either keypad which would confirm that they actually come from the same manufacturer, but we can dream.

An Academic Experience

Fairly significant bummer

If you’ve been following my previous teardowns, you’ll know that I often make a point of identifying parts that could be worth salvaging for future projects. But in the case of the VeriFone MX 925CTLS, I have to admit there doesn’t seem to be much of anything worth keeping.

Personally, the component I had the highest hopes for was the smart card reader. While the rest of the world is well accustomed to this technology, here in the United States, it’s still a relatively new addition to our daily lives. I was very curious to see what the inside of one of these readers would look like, and fantasised about it potentially being some kind of I2C or SPI device that could be extracted from the terminal. Unfortunately, the reader is nothing more than a block of plastic with some flexible fingers that push against the chip.

While there was nothing of particular material use from this device, it was still an illuminating look inside a piece of equipment that’s part of daily life for most of us. If you ever have the opportunity to take apart something like this, don’t pass it up. You might not add any parts to your bin, but you certainly won’t come away empty handed either.

49 thoughts on “Teardown: VeriFone MX 925CTLS Payment Terminal

  1. Lately I have had trouble getting the smart card reader to work on the payment terminals at Sam’s Club.
    An Associate there, told me that the “stops” have been pushed out of place by people shoving their cards in too hard.

    1. Maybe that’s what that little spring loaded tab is at the top of the slot? Otherwise, seems hard to believe they could push a card hard enough to break through that back wall.

    2. Try cleaning the contacts to restore a good electrical connection with the chip. The best way is a special card with some very thin cardboard like structure that you put few drops of IPA (the alcohol kind not the beer kind) on and insert in back and forth inside the reader. You can accomplish the same with a regular plastic card but it takes more back and forth, just put it backwards to prevent damaging your ship (if your plastic card got one).

      In rare cases it’s not much the contacts that are unclean but they are less spingy so too wide to make a good electrical contact. Some cards which are thinner than others will have trouble with these worn readers (whereas thicker cards will be OK) so you have to add some thickness içn the chip region. Often a single little strip of regular adhesive under the chip (card’s verso) is enough. I know that because my credit card become thinner as it worns out and thus I put a little bit of scotch (the adhesive kind, not the damn good alcohol one) under it.

      My two cents.

  2. Speaking of TRU, the one near me in Dallas Texas had some Lego sets that had been in the store for close to a decade. Lego sets have a limited production lifespan so its very easy to figure out how long a set has most likely been in in a stores stock and the one near me had several that had been out of product for 5-8 years. Many times they’d go on a decent sale but never anything better then %33. They’d rather let stock sit for years unsold then sell it at cost or slightly below. I never stopped being amazed by this level of thinking. I can only assume that after decades of being the in demand store for toys when it came time to take competition seriously the chain never fully moved from that state of mind that we are Mercedes Benz of toy stores with little competition to a chain that needs to accurately access itself and handle sales accordingly. Not only were they always the most expensive retailer for toys in this area but they never had any kind of stock blow out. I checked out the store about a year before it shut down and they still had games for the xbox and PS2 that were new. Unbelievably bad management.

    Still I hated to see them close as they were a warm and wonderful part of my own childhood. To bad they couldn’t get their act together.

    1. As far as I understand, the main reason why Toys ‘R’ Us went bankrupt is because a number of investors used it as a way to get rid of debt. They invested in the chain, looted it for all the cash it had to pay off other debts, and then dropped it like a hot Mr Potatohead.

      1. And with the way that Wall St has managed to achieve full regulatory capture over the US government, there is nothing to stop the same kind of scumbag investors from doing it all over again to another poor company…

          1. Sears is a failing business model, just as Montgomery-Ward and many smaller chains have failed before it. Sears has been selling off assets, not to be looted, but in a doomed attempt to have enough capital to stay in business.
            .
            Say good night, Gracie.

  3. As for reading data off of smart cards, they just use a fairly simple serial interface. Some of the STM arm chips that I’ve used can configure their USARTs to interface directly with them. It’d be fairly easy to bit-bang on an Arduino, too.

    1. That’s probably one of the very few parts that has any promise, but none of the part or model numbers on it turn up any results other than suppliers selling replacements. It may work with one of those generic LCD drivers, but if you’re going to import one of those you might as well just get one bundled with an LCD for a couple bucks more.

      But in the name of science, I’ll see if I can get a hold of one of the drivers and see if the magic smoke escapes.

      1. Touchscreen display, is the stylus active or just a tethered and inert stick? Two speakers, a magnetic strip card reader, and a robust keyboard – in a super sturdy housing.

        Looks like the perfect home for a PasPi or BeagleBone project. Remove the privacy shield from around the keypad to have better access.

  4. At my office we have a few of these or something very similar. I have had to work on them a few times. There is a menu with a password that you can usually get into to configure the terminal. (key combination at power on, or in the first xyz seconds of power on) Ours had options for USB, Serial and other data streams and settings 7 or 8 bit, baud rate etc. This was enabled by a hybrid cable. The adapter on the terminal had more then your typical USB contact points and those in turn were broken out at the power end of the cable to multiple serial points and usb. If I recall correctly you could have a serial (receipt) printer directly attached to the terminal.

    On the menu side, there were options to load encryption keys for that terminal to talk to some back end system and bank cards. We only use them as a digitizer for capturing signatures to avoid paper. There were display options such as contrast and brightness along with several other test menus to ensure proper function of the device before it talks to any external system. I would be surprised if the tamper did anything more then zero the “secure” functions.

    I would think that whoever owned or managed the terminal would want to be able to replace a failed keypad part or something and then get it back into service. In our case the “pen” would fail for various reasons. I have seen on other credit card terminals with a similar lithium battery that if it goes dead the terminal also zeros out ram and needs some TLC after the battery is replaced. But in nearly all cases powering the unit on put it back into some sort of firmware load state. In our case I had to send one unit back to the vendor for that to happen not because it was opened but because it sat on a shelf too long. We are remote enough the vendor keeps onsite spares with us. It also means they don’t send a lot of techs if they can help it but call me to play monkey see(hear), monkey do.

    1. I would rather that any attempt to repair or modify the keypad in any way should turn the thing into a useless brick and possibly also notify the authorities of an attempt to make a card skimmer.

    2. From what I’ve read about these terminals, there are encryption keys that are used to communicate with the bank or card handler, and from what I understand the keypad is encrypted as well (so when you enter your PIN, the keypad hashes it and the hash is sent to the device and in the case of chip cards is sent to the chip on the card and the chip itself does something with it, not sure what) and the tamper switches nuke the encryption keys.

      Most of the skimmers that I’ve seen, are more or less an “overlay” that snaps on over the top of the existing terminal, and is designed to mimic the look of the terminal itself but they make it slightly larger.

      The keypad encryption may only be on ATMs; but it’s plausible that it’s in use on these types of terminals as well.

      1. Having worked on the design of an EMV chip and pin terminal before, this one doesn’t even look as secure as I was expecting. Ours had the entire secure element contained within a multi-layer tamper detection mesh like the one shown attached to the bottom of this one, except it was a box with meshes on all sides. The raw display and keypad IO had to be routed in such a way that it was protected either by tamper detection meshes or by the display glass, plus there were various non-obvious tricks to make it hard to probe the keypad directly. If the tamper circuit was activated then the key material was securely erased and the device was bricked (permanently – re-keying in the field was not possible due to key management procedures). These devices are pretty secure!

        1. I worked on the field with lots of EMV terminals. The often see protections are pressure sensitive screws that clear the flash. Thus if you try toi open it….or put it outside when it’s cold after it has been stocked in a warm area it erase itself and ask to be returned to the factory to be reflashed (no field service on these f*ckers).

          On the electronic side you sometime encounter pretty clever protection mechanisms like over/under voltage detection and clock frequency detection to notice a power/clock glitch attack (useful when attempting to bypass anti readout flags). If those trips the flash is also cleared rendering the unit a pretty good looking paperweight.

          So yeah, even if you somehow by miracle defeat the physical protections (meshes, PCB traces, pressure pads, magnetic reeds, optical sensors…) you still have to deal with pretty strong electronics traps hereafter.

          1. The one I tinkered with had over/under voltage detection amongst the myriad of other tamper detection features to hop over. That was the real killer for me as apparently the dip from measuring instruments was enough for it to cry foul and shut off. Definitely an interesting type of device to teardown and marvel at the actual design, even if it is older :)

  5. At my place of employment we use these,or a *very* similar model. When they freeze up (which they do, but not often) we call in and have them rebooted. They run Linux! A picture of Tux on the screen even. I’m not sure if all versions do, but ours do.

  6. I’m hoping he managed to snag that Valcom paging control. I’d like to see what its PCB looked like. I worked on an earlier version in 1991 (changed the processor to from the MC68705P3 to MC68705C8, the plastic one-time programmable controller was new and was over half the price, plus it went from 28 pin to 40, so we could get rid of some glue logic)

  7. Interesting teardown even if it didn’t result in useful parts. There’s plenty of educational value in just seeing how all sorts of stuff is designed and assembled. In this case, it’s something that’s not a typical consumer gadget (well I guess in a way, that’s exactly what it is!)

  8. To be honest, I’d be concerned about someone replacing the innards with the own custom controller. Hand to customer, please enter your PIN, oh, damn, this one can’t get online, print out a failed transaction slip.

    Ok, let’s try this other terminal then … transaction completes, but the attacker now has the user’s card details (from the mag stripe), and their PIN.

    No consumer ever checks the integrity of the Pin Entry Device. As a security person, even one with an interest in hardware security, I have no idea how to even start, to be honest! Tamper-evident seals are a thing, sure, but check out the DefCon “Tamper-Evident Village” for how well that works.

    And no, I doubt that the keyboard is encrypted, I think that the entire unit is tamper-proofed so that the interface between the keyboard and CPU can be considered “secure”.

    1. Excellent point about just replacing the innards.

      But the keyboards are encrypted. It’s one of the requirements to keep PINs secure. That’s what the reed switch is all about – getting access to the back of the keypad clears its key/algorithm storage

    2. An interesting point.
      Not sure if it’s the same elsewhere, but here in the UK typically the chip+pin device you use shows the store name and details of the transaction (at least the total) so it communicates with the till.
      It might be a basic check but I always look at what the screen shows before shoving my card in, at least that way you have a vague idea the terminal marries up with the POS device.

  9. “You could have a baby in that amount of time.” My active involvement in the making a baby part of having a baby will probably take about 30 minutes. An hour tops on a good day. The rest of the time is mostly just waiting.
    *Joke, obviously*

  10. If you’re the sort of person who moves their whole arm around when entering a PIN, it’s possible to suss out your number from video of your arm movement – given decent measurements of the keypad and some other dimensions.

    I make sure to only move my fingers when typing a PIN. Nobody’s going to get mine by watching my elbow wiggle.

  11. is nobody going to say it? no? O.K. i will. what is the point of over-engineering the pin pad if businesses and card companies are going to allow sloppy database work so my card details and other information are being leaked every other month. it doesn’t matter if you have the deadbolt locked if you leave a window open

    1. The point is you have to start somewhere and you don’t want to be responsible for a security issues. The market, given enough focus on security (which is still a WIP unfortunately), will naturally get rid of bad/unsecured actors.

    2. What’s the point of securing the database, if the capture hardware uses insecure communication channels to send the data in? Security is many layered, and a failure of one layer only emphasizes the importance of all the layers, rather than question them.

  12. This article is kind of behind.. Criminals have been making skimmers that go entirely inside the slot for years and either transmit or log mag-stripe track dumps; external skimmers are obsolete. I haven’t seen any skimmers using SDA&DDA EMV attacks though except for some internal attacks in Europe at banks..

    The POSi(the keypad terminal the customer uses as shown) is a dumb device with only a RAM buffer that does encrypted handshakes with a POS server usually in a locked room in the same building, and that POS server(usually a x86 box with a configured POSi key connected by or serial) always has a processor subscription configured and the processor exchanges with an acquisition service that interacts with your bank all over one of the banking networks.

    You can read about SWIFT and ISO-8583 if you want to see how the core of the network works..

    1. By the way bank infrastructure never has a public facing IP address and it’s hundreds of layers of domain controllers and IDS and subnets. This is why even APTs don’t directly attack banks in first-world nations.. Even in places like Bangladesh they still need to physically get a foothold with an employee..

      Defense contractors and casinos actually have less security, and it has nothing to do with PCI or anything it’s just all the layers of auth and compartmentalization.. They don’t even patch a lot of their endpoints

  13. Tom, you close out by saying:

    If you’ve been following my previous teardowns, you’ll know that I often make a point of identifying parts that could be worth salvaging for future projects. But in the case of the VeriFone MX 925CTLS, I have to admit there doesn’t seem to be much of anything worth keeping.

    But earlier, you have this gem:

    Of particular note are the stereo speakers and 3.5 mm headphone jack on the right side of the PCB,…

    Obviously those are both worth keeping, if only to add a headphone jack to your new jackless smartphone.

Leave a Reply to xorpunk Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.