Stefan GloorNew blog post!
How I got a Root Shell on a Credit Card terminal
https://stefan-gloor.ch/yomani-hack
#reverse_engineering #reverseengineering #hardwarehacking #hacking #security
Ymity@stgl Always interesting to see people break open devices i so often see but isn't allowed to break. Was a nice read thanks.
@Ymity Thank you!
Celeste Ryder ๐พ ๐๐ณ๏ธโ๐@stgl does it also run Doom?
@bougiewonderland Not yet :)
Datavizzard@stgl @bougiewonderland Thats the right spirit!
older
Ives
Gytis Repeฤka@stgl Excellent analysis 
reverse:lucke@stgl Richtig nice :)
You@stgl Thanks for this interesting blog post! Do they publish their kernel source or is it another GPL violation?
@zeewox I didn't ask, might be something to try :) I think GPL violations are quite common in these kinds of things
Alfred M. Szmidt@stgl @zeewox You changed the question slightly.
Does the GPL require that source code of modified versions be posted to the public? (https://www.gnu.org/licenses/gpl-faq.html#GPLRequireSourcePostedPublic). --- "No."
The question here is if the device was made available to the public, or clients ... clients would be able to request the source code, but not random person since the device is not theirs.
@stgl I think you'd have to ask the re-seller (I am assuming! since this is eBay) for the code, not the manufacturer since the re-seller is re-distributing the device and not the manufacturer. So to hold the manufacturer responsible here is unfair.
I.e., if you get a copy of some #GNU #GPL program from me, I'm not responsible if you re-distribute it later and refuse to provide the source code.
jn RA, RB (primary opcode 31)@stgl Did they publish their GPL sources for Linux etc.?
(btw, nice to see an ARM926EJ-S in the wild, these things can run a subset of Java bytecode in hardware)
Martin@stgl Oh no! This is the SumUp Solo incident all over again ๐
They do indeed use the Linux-part of the device also during payment processing... While most swiss merchants' POS systems will speak the TIM protocol with the device, you can throw Worldline a few โฌ per month and they will remotely install a ZVT-to-TIM service on the device. That way, merchants using "german" POS software can use their existing protocols.
@martin Interesting!
Lioh
Laurent Bloch@stgl Fascinating! And useful!
WooShell
Piiieps & Brummm@stgl
"Wait, what!? Thatโs it? Iโm in?"
:-D
@stgl
"The โinsecureโ Linux, running on the second processor, mp2, only handles ... the updating,..."
Would this open up an insecure update path?
@stgl
TBH I'm really in awe of your hardware capabilities. I'm too short sighted to do such delicate works.
TBH I'm really in awe of your hardware capabilities. I'm too short sighted to do such delicate works.
@PiiiepsBrummm Not easily no, there are signature checks in place. But something might be possible with some more effort and time, I merely scratched the surface here
NeunMalKlug 
@stgl "The system runs a 3.6 kernel, built with Buildroot 2010.02 (!) in February of 2023"
so it's basically an up to date debian system
Xilokar@Xilokar Very cool! Did you end up dumping the same version? Did my tool work? I would love to have a chat sometime about your insights and your thoughts about the (presumed) system architecture. Feel free to PM me if you're interested!
I'd love too having a chat about all of this too!
But first let me dive a little into the internals...
I've only looked at it 3 hours yesterday night ๐
Did not have to use your tool (rootshell on the exposed debug port, and exported the rootfs over network)
This way, I have an untampered running device.
The version is newer, at least for the bootloader:version_id:v1.7c+00000:gad03c1b Dec 17 2019 15:48:45 owi
Did not figure yet how to get the "firmware" version ๐
@Xilokar Cool, just let me know.
Ah of course, that's the smart way, nice! Weird that there are still vulnerable devices floating around more than half a year after disclosure...