Home > Uncategorized > The other question of what is the Square K400Q device

The other question of what is the Square K400Q device

Square Terminal Teardown.
Square Terminal Teardown.
Part-way through the Square Terminal Teardown I recently tore down a square terminal ( the one with the LCD screen) and wanted to share some of these results.
I haven’t photographed everything as was mostly interested in how the secure areas of it are down.
You can see an overview in the following video if you want to see how the whole thing fits together.
Teardown of Square Terminal Video You can pull the main boards out to boot the thing on your bench (WARNING: as you see in the video above, this will trip the tamper circuits and destroy the device from being able to register/use): Benching the boards – tamper shield removed from secure device (more on that later).
To start with the boring, here is the android board.
It uses an APQ8039 (SnapDragon 615) as the main processor, with a KMQE60013M-B318 which integrates NAND (Emmc) and LPDDR in one package.
Alright, cool enough.
While let’s get into the main stuff.
There is a “security board” which I talk about in the following video: This board features: MK21FX512 main microcontroller , a TDA9034 smartcard interface, a “Square K400Q”, a Cirque ICA037 touch controller, STM32F0, TS3A44159RGTR (analog mux), Lattice ICE5LP2K FPGA.
Here’s a photo of the board with the taper screen removed: The tamper shield covers all of those test pads.
Here’s a photo of the tamper screen: Very conveniently (for us), .

© Copyright Chaturbate.com 2011 – 2020
Tuesday September 08, 2020

SWAG. SIGN UP Ammieblond’s Cam FEMALE MALE COUPLE TRANS NEXT CAM (CTRL-/) ▸ Room is currently offline Bio Ammieblond’s Bio and Free Webcam Real Name: Ammie Blond Followers: 10270 I am: Female Interested In: Men, Women, Trans, Couples Location: Ammieland Last Broadcast: 2 days ago …

The post © Copyright Chaturbate.com 2011 – 2020 appeared first on betfair.

Square has filed a number of patents related to the tamper

In particular, here and here feature this exact cover: I had measured out the connection s, but the patent itself detailed them: They patent also explains the land patterns on the PCB.
The extra rings around it are for guard rings – if someone were to squirt some conductive glue into the enclosure, they would also trip the guard ring.
Cool.
The other question of what is the Square K400Q device, which has a 13.56 MHz crystal hanging off it.

Not Found
Tuesday September 08, 2020

Not Found. Sorry, that page does not exist. Luckily, we are in the business of locating solutions. Please use this form to contact us about what you are looking for. About. Contact Us. Legal.

The post Not Found appeared first on betfair.

While it turns out Square acquired a company called Kili Technology

And Kili Technology had a product called the K400Q, which is also in QFN-56 package.
You can find the product page here (thanks to archive.org).
No full datasheet, but it does have a short product brief : What else is in it.
Unclear exactly, but I would bet it’s using an enSilica RISC processor based on this press release .
Unfortunately there aren’t public tools for it, although Lauterbach supports it in some form.
Finally – where is that security mesh handled.
In my video I trace out some of it – the backup battery seems to run across the mesh on one side.

Clayton & McKervey is led by Rob Dutkiewicz
Tuesday September 08, 2020

How We Help Service Approach. Affiliations. Communications & Technology. Meet Our Team. Our Videos. Testimonials. Our Story. Home. About Us. Our Story. Over 60 years of dedication. our story & our goal. Our firm was founded in 1953 by Don Schmaltz and was called Schmaltz …

The post Clayton & McKervey is led by Rob Dutkiewicz appeared first on betfair.

The otherside seems to route to the STM32F0 processor

So it might be that the STM32F0 is performing some of the security mesh checking

which then triggers the Secure Destroy Interface (SDI) on the Square K400Q microcontroller.

The STM32F0 has some epoxy blocking a few pins (very suspicious) as does the analog mux

The analog mux has some interesting-looking signals on it that make me suspect it is also part of the security mesh.
As a small side-note: all those test pads are right at the edge of the mesh.
I haven’t tested yet, but I’m curious if you can dig down ‘under’ the shield without tripping anything.
Or a very very fine shim may fit between the PCB & shield perhaps.
Lots of stuff to test.
But that’s all for now.
Project has been shelved for a bit, .

But hopefully you enjoy this look into the Square teardown

MINOR UPDATE: I removed the epoxy around the STM32F0 – it looks like it might be near the mesh, .

But the mesh isn’t actually routing to the STM32F0 inputs (not 100% clear yet)

The mesh seems to power the backup power for the MK21 instead, so it’s clear more effort is needed.
Next step will be to remove the BGA on the MK21 so can probe where the mesh is going exactly.
April 6, 2020April 6, 2020 security mesh, square, tamper, .

Teardowns 4 thoughts on “Square Terminal Teardown”

Mustafa says: April 7, 2020 at 8:01 pm Very interesting teardown and analysis.
Great work Colin.
My two cents to add: The chip scale packaging device at minute 34:20 in the second video is probably a part of the magstripe reader subsystem.
The original headphone jack square had a very similar device (with part #7AH1625) along with the bank of capacitors next to it; that was a much simpler device, I am glad to see they added all those security features since then.

Reply Colin O’Flynn says: April 8

2020 at 1:42 am Thanks for the hint – re the shiny CSP device.
Really odd to see in there, never looked at original reader.
Makes more sense if they had already developed it that it gets re-used.
Reply.
Hawatha says: August 24, 2020 at 4:14 pm I can state for certain the MK21 is handling the tamper mesh, as that is one of its stated roles.

Interesting that Square have patents around some of these features

as they are far from new.
always interesting to see people taking apart these devices and placing details online, as that’s not a common thing, especially for the newer ones.

Reply Colin O’Flynn says: August 24

2020 at 4:49 pm Thanks for the comments.
I think most people looking at them are doing so either under NDA or for commercial reasons so they don’t want to or can’t publish details… luckily I’m not foolish enough to try and make money or anything so can publish it all ???? Reply.
Leave a Reply Cancel reply.
Your email address will not be published.
Required fields are marked * Comment Name * Email * Website Save my name, email, and website in this browser for the next time I comment.
Post navigation.
Previous Previous post: Amazon Echo Dot Gen 3 – Microphone Disable Circuitry Next Next post: FPGA Board Design Tips.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *