Square Terminal Teardown.
Square Terminal Teardown.
Part-way through the Square Terminal Teardown I recently tore down a square terminal ( the one with the LCD screen) and wanted to share some of these results.
I haven’t photographed everything as was mostly interested in how the secure areas of it are down.
You can see an overview in the following video if you want to see how the whole thing fits together.
Teardown of Square Terminal Video You can pull the main boards out to boot the thing on your bench (WARNING: as you see in the video above, this will trip the tamper circuits and destroy the device from being able to register/use): Benching the boards – tamper shield removed from secure device (more on that later).
To start with the boring, here is the android board.
It uses an APQ8039 (SnapDragon 615) as the main processor, with a KMQE60013M-B318 which integrates NAND (Emmc) and LPDDR in one package.
Alright, cool enough.
While let’s get into the main stuff.
There is a “security board” which I talk about in the following video: This board features: MK21FX512 main microcontroller , a TDA9034 smartcard interface, a “Square K400Q”, a Cirque ICA037 touch controller, STM32F0, TS3A44159RGTR (analog mux), Lattice ICE5LP2K FPGA.
Here’s a photo of the board with the taper screen removed: The tamper shield covers all of those test pads.
Here’s a photo of the tamper screen: Very conveniently (for us), .
Hvordan deaktiveres Flash cookies5
Monday September 07, 2020
Cookiepolitik. Introduktion. Vi ønsker at være gennemsigtige over for vores brugere om, hvordan vi indsamler og bruger deres data. For at finde ud af mere om dette og om os, som datastyrer, . Kan du læse vore Privatlivspolitik Denne Cookiepolitik har til formål at gøre …
Square has filed a number of patents related to the tamper
In particular, here and here feature this exact cover: I had measured out the connection s, but the patent itself detailed them: They patent also explains the land patterns on the PCB.
The extra rings around it are for guard rings – if someone were to squirt some conductive glue into the enclosure, they would also trip the guard ring.
The other question of what is the Square K400Q device, which has a 13.56 MHz crystal hanging off it.
Get Introduced To Top 10 Apps That Are Built Using Ionic
Tuesday September 08, 2020
Category Archives: Java. This is the #Codango post category for #java. Any post that has anything to do with #java, is labeled with this category. Get Introduced To Top 10 Apps That Are Built Using Ionic. September 29, 2018 Leave a reply Ionic: With the …
The post Get Introduced To Top 10 Apps That Are Built Using Ionic appeared first on betfair.
While it turns out Square acquired a company called Kili Technology
And Kili Technology had a product called the K400Q, which is also in QFN-56 package.
You can find the product page here (thanks to archive.org).
No full datasheet, but it does have a short product brief : What else is in it.
Unclear exactly, but I would bet it’s using an enSilica RISC processor based on this press release .
Unfortunately there aren’t public tools for it, although Lauterbach supports it in some form.
Finally – where is that security mesh handled.
In my video I trace out some of it – the backup battery seems to run across the mesh on one side.
Menu Tag: SAP
Monday September 07, 2020
Menu Tag: SAP. Important SAP tables. March 16, 2012April 22. 2014 Leave a comment if you are struggling with pulling data from SAP this list of essential SAP tables could be helpful DD02L SAP Tables DD03L Table Fields DD04L Data elements TADIR Directory of Repository …
The otherside seems to route to the STM32F0 processor
So it might be that the STM32F0 is performing some of the security mesh checking
which then triggers the Secure Destroy Interface (SDI) on the Square K400Q microcontroller.
The STM32F0 has some epoxy blocking a few pins (very suspicious) as does the analog mux
The analog mux has some interesting-looking signals on it that make me suspect it is also part of the security mesh.
As a small side-note: all those test pads are right at the edge of the mesh.
I haven’t tested yet, but I’m curious if you can dig down ‘under’ the shield without tripping anything.
Or a very very fine shim may fit between the PCB & shield perhaps.
Lots of stuff to test.
But that’s all for now.
Project has been shelved for a bit, .
But hopefully you enjoy this look into the Square teardown
MINOR UPDATE: I removed the epoxy around the STM32F0 – it looks like it might be near the mesh, .
But the mesh isn’t actually routing to the STM32F0 inputs (not 100% clear yet)
The mesh seems to power the backup power for the MK21 instead, so it’s clear more effort is needed.
Next step will be to remove the BGA on the MK21 so can probe where the mesh is going exactly.
April 6, 2020April 6, 2020 security mesh, square, tamper, .
Teardowns 4 thoughts on “Square Terminal Teardown”
Mustafa says: April 7, 2020 at 8:01 pm Very interesting teardown and analysis.
Great work Colin.
My two cents to add: The chip scale packaging device at minute 34:20 in the second video is probably a part of the magstripe reader subsystem.
The original headphone jack square had a very similar device (with part #7AH1625) along with the bank of capacitors next to it; that was a much simpler device, I am glad to see they added all those security features since then.
Reply Colin O’Flynn says: April 8
2020 at 1:42 am Thanks for the hint – re the shiny CSP device.
Really odd to see in there, never looked at original reader.
Makes more sense if they had already developed it that it gets re-used.
Hawatha says: August 24, 2020 at 4:14 pm I can state for certain the MK21 is handling the tamper mesh, as that is one of its stated roles.
Interesting that Square have patents around some of these features
as they are far from new.
always interesting to see people taking apart these devices and placing details online, as that’s not a common thing, especially for the newer ones.
Reply Colin O’Flynn says: August 24
2020 at 4:49 pm Thanks for the comments.
I think most people looking at them are doing so either under NDA or for commercial reasons so they don’t want to or can’t publish details… luckily I’m not foolish enough to try and make money or anything so can publish it all ???? Reply.
Leave a Reply Cancel reply.
Your email address will not be published.
Required fields are marked * Comment Name * Email * Website Save my name, email, and website in this browser for the next time I comment.
Previous Previous post: Amazon Echo Dot Gen 3 – Microphone Disable Circuitry Next Next post: FPGA Board Design Tips.