teardown: Verifone vx570 card terminal

The following is a disassembly of a working Verifone Vx570 I scored off ebay for $20. The switch that sits behind the spring-loaded LCD display had already been tripped before I received it, meaning that it had switched into recovery mode.

The device has a large number of components, with roughly 28 IC’s and a number of physical ports as well:

  • USB
  • RS232
  • Ethernet
  • Modem
  • Pin Pad

The following IC’s can easily be identified:

dsc_0294dsc_0295dsc_0297dsc_0296dsc_0299dsc_0298dsc_0309dsc_0300dsc_0308dsc_0306dsc_0305dsc_0310dsc_0311dsc_0313dsc_0316dsc_0314dsc_0307dsc_0312dsc_0315photo-on-30-10-2016-at-7-04-pmphoto-on-30-10-2016-at-7-05-pmphoto-on-30-10-2016-at-7-08-pmphoto-on-30-10-2016-at-7-08-pm-2photo-on-30-10-2016-at-7-08-pm-4photo-on-30-10-2016-at-7-09-pm-2photo-on-30-10-2016-at-7-09-pmphoto-on-30-10-2016-at-7-10-pmphoto-on-30-10-2016-at-7-10-pm-2photo-on-30-10-2016-at-7-10-pm-3photo-on-30-10-2016-at-7-11-pm-4photo-on-30-10-2016-at-7-11-pm-5photo-on-30-10-2016-at-7-12-pmphoto-on-30-10-2016-at-7-12-pm-2photo-on-30-10-2016-at-7-13-pm-2photo-on-30-10-2016-at-7-03-pm-3photo-on-30-10-2016-at-7-13-pmphoto-on-30-10-2016-at-7-11-pm-3photo-on-30-10-2016-at-7-11-pm-2photo-on-30-10-2016-at-7-11-pmphoto-on-30-10-2016-at-7-08-pm-3photo-on-30-10-2016-at-7-07-pmphoto-on-30-10-2016-at-7-06-pmphoto-on-30-10-2016-at-7-05-pm-2photo-on-30-10-2016-at-7-03-pmphoto-on-30-10-2016-at-7-02-pm

teardown: Garmin Nuvi 2559LM

I’ve had a spare Garmin GPS unit kicking about that I had no particular use for, so decided to pull it apart and look at how it might be hackable. These are largely notes for my own future reference.

The core components are:

  • A 3.7v 930mAh rechargeable Li-ion battery (part # 361-00035-01)
  • A DFD050V1-PFLW 5″ LCD touch screen. These seem to be fairly common, available on ebay and other places.
  • A square ceramic device labeled g393 – presumably a gps antenna
  • A USB Mini socket
  • A speaker
  • A microphone
  • SNI2065850 BZCE 3BAQNYW – unidentified square BGA chip; I’d hazard a guess this is the main SoC, via process of elimination.
  • A winbond w971gg6jb25 1Gbit DDR2 SD RAM chip (datasheet)
  • An unidentified chip labeled SNA9033 A2 TI 3CI AHZJ G4
  • A TI AIC3120 Audio chip (datasheet)
  • A samsung klm8g1we4a-a001 8GB NAND flash memory
  • An unidentified NL5500L chip
  • A MicroSD slot

Select source code for this device has been released by Garmin as part of GPL obligations, and no real surprises it includes the linux kernel:

Having a look through the kernel patches, TCC9201 shows up. A quick google suggests this may be a Telechip ARMv11 processor that has indeed shown up in other garmin products. This is likely the unidentifiable BGA IC.

Circuit board notes:

  • There are quite a few test points, although none stand out as obvious UART or JTAG.
  • There is an PCB antenna, most likely for bluetooth.
  • There are a few unpopulated pads, in row formation as well as quad and DIP.

Attack surface:

  • Desoldering the BGA flash chip doesn’t appeal as it’d destroy the device.
  • I plan to look at each of the test points with a scope to see if we get lucky with any serial or other interfaces. Perhaps a JTAGulator against groups of TP’s as well.
  • Garmin have Windows & OSX applications for updating the firmwares and map information on these devices, which may be an interesting way to communicate or write a different flash image to the unit.
  • It may be worth interfacing via Bluetooth, although I’m not sure whether it is used for anything more than just as a handsfree audio device to a mobile.

Photos:

p9250022p9250021p9250023p9250024