2022-07-25, 23:00–23:50, Abacus 🧮
What is inside a Verifone VX820 payment terminal and how can we run our own code (i.e. Doom) on it?
This is a story of a software guy messing around with an interesting embedded device. It includes some reverse engineering, interesting security practices, proprietary executable formats, and a game of bootloader hopscotch.
Starting with an overview of the Verifone VX820 payment terminal's hardware and software, we will follow my curious exploration with the final goal of arbitrary code execution. We will see how such seemingly single-purpose devices actually allow for general purpose computing under the hood, and even contain all the peripherals needed for a fun (retro-)gaming experience.
I will show the struggles and practicalities of turning a (previously found and published) bootloader vulnerability into a practical exploit. This includes some reverse-engineering of bootloaders, kernel code, communication protocols and file headers.
Following this I will cover the "engineering" part: how to construct a minimum viable "toolchain" to be able to port a codebase like Doom.
There will be demos of the exploit and some programs that have been ported :)
Thomas Rinsma is a Security Analyst at Codean, focusing on continuous software security. Before, he was a Senior Security Analyst at Riscure, where he was primarily focused on mobile payment applications, but was also involved in security evaluations of TEEs/TAs, back-end systems, and embedded devices like smart energy meters, consumer routers, elevator controllers and set-top-boxes.