Tuesday, April 20, 2010

Paypal payload

There have been several advancements including work on finishing the automation of the biological microscope and automation of the inverted metelergical microscope, but school has kept me busy and I haven't had time to finish those. In the meantime, here is a small deviation on taking apart a security key to get to the IC. In such situations, there is a double decap. We not only have to decap the IC pacakge, but its a bit of an effort to even get to it.
At DEF CON 17, there was a side event of sorts called BSides/Neighborcon (thanks Travis!). This actually had my favorite talk of the entire trip by HD Moore on WarVOX. In any case, PayPal handed out stacks of the PayPal (or someone anyway, I think it was them) Security Key.

From some articles such as this it is based off of RSA’s Securid. I'm not a crypto guy, but I figure if I take some images of this and work out some of the logic, someone else more experienced in the field who can't do this type of hardware analysis might be able to build off of this work. I won't be be imaging the chip until I can get some more experience since future cards will cost me $5 a pop. Plus, I haven't made any agreements at this point not to tear it to shreds. I originally had a lot, but I gave them away to a number of people who thought they were cool.
One cool feature of these things its display Basically, it will retain the image on it even with power gone. It is the same (class?) of technology used in the more famous Amazon Kindle.
From what I hear, GM week at RPI use to be about getting wasted and they use to bring large amounts of beer for students to drink. But they don't do that anymore. I don't drink, but it would have been hillarious to watch. On the surface, its about elections...w/e. I still have my mug from last year which is better and I needed some glassware to dissolve the card in. To top it off, it had a Vegas theme, which seemed appropriete to make the card go full circle.
In any case, lets get started with the teardown. After a few minutes in acetone, the outter cover is starting to shed:
A side view showing the ridges a bit better:
I think peeled this off to speed things up and soaked it a bit more:
The other half is starting to break apart a bit:
A little dissolving later, I can peel off the outside plastic to reveal the circuit board:
Closeup of the label section:
There are very small surface mount components on the board. The label says "InCardIC006AV11". There's also a number 2, whatever that is for. My guess is that five dot gold pattern is for programming and/or testing. That black dot should be the IC, which is what I'm primarily after. Unfortunately, it has no external labeling of any kind. Finally, the last component is what appears to be a lithium polymer battery based on its shape. Voltage reading:
Amazingly, the card still works! (the battery was removed later, still had battery here)

The acetone was getting a bit dirty. Time to clean it up a little:
After soaking for the last time, I wasn't able to get much else to come off even after soaking for a while. I had been hoping the board was going to dissolve at least slightly and release the IC package. Final front board image:
The battery came off with minimal force. Final back image:
The black IC package was then forcably removed and stored into a vial for later analysis. As I get better suited to dissolve the resin, I'll dissolve it and take at least a top metal layer picture. In the meantime, I'll keep practicing on expendable chips so scarcer chips like this can be properly analyzed.
To top things off, what kind of person would I be if I let flammables go to waste?

1 comment:

  1. I have one of those. I have to use it for work. I took one apart as well. You did a much better job than I did.