This was a pretty common trick to glitch slot machines, they are hardened quite a bit against this sort of trickery. A mobile phone is much more delicate in general construction and doesn't have access to a handy ground wire.
Slot machines are on someone else's premises and (disclaimer: I've never been to a casino myself) are most likely under surveillance, so they'll probably void your winnings and ban you if you start doing something sketchy.
Devices that implement any restrictions against the end user like DRM or MDM, on the other hand, are in possession of the said user. I heard a saying that getting root privileges on a device you physically possess is only a matter of time and effort.
In other words, you can totally take your phone apart as much as your tools and skills allow, but you'll get arrested if you try taking a slot machine apart.
Sure, the owners would not be happy. But slot machines are installed all over the world and not just in casinos.
The idea was not to take the machine apart but to try to glitch it by hitting metal parts that were not properly grounded. This would then allow the voltage spike to make it into the circuitry, either leading to breakage, no effect, or fault injection. The latter could sometimes be converted into a win on a subsequent spin.
This is 80's stuff, I'm pretty sure todays' slot machines are tamper proof to the point that trying this is totally pointless, and even back then hardening against this was common.
> This is 80's stuff, I'm pretty sure todays' slot machines are tamper proof to the point that trying this is totally pointless, and even back then hardening against this was common.
They are. Source: I own a modern-ish computer based slot machine and tried my fair share of tricks against it.
The very first technical standards for slot machines in Nevada are ESD testing to confirm it’s safe for the player and that the integrity of the device is unimpacted by 27kV discharge to any point on the exterior of the machine while it’s being played (and the test labs really go to town finding gaps in panels and really trying to make something bad happen).
Given the absence of mechanical reels and the fact that the components likely to be susceptible to glitching aren’t remotely close to the outside of the machine this isn’t a viable attack method for machines in operation.
Source: NV Tech Standard 1 [1] also have zapped modern slot machines with an ESD gun.
I happened to be in AP Stats back in HS with the son of the owner of the business who certified all electronic casino games for the state of NJ. We took a field trip to the business and his dad gave us all a tour and explained all of the testing they do for this sort of stuff, the code reviews, making sure the machine's odds were actually what they said they were etc. I don't remember many details at this point (it was 12 years ago, which is insane), but I do distinctly remember the scale and just the amount of stuff they did. It's very serious business, because it was in both the casino owners and NJ's interest to make sure the machines were in fact not hackable as much as possible.
Which is why that vulnerability was never tested/allowed to be tested by the creator of the device. Exploits always thrive on the fringes of what is unacceptable to corporate safety policy.
My first lesson in "capacitors store electricity" when I was a kid was when I took the battery out of a disposable camera... and then managed to shock myself with the flash discharge anyways.
I did it by sticking a screwdriver where I shouldn't have and touching the flyback cap on an old (CRT) TV that was only recently unplugged. Luckily I wasn't well-grounded and the part of the screwdriver shunted the current turned to slag.
Through the screwdriver shank, as it's placed across the capacitor terminals. This creates a dead short through which the differing potentials on the capacitor plates can equalize - and if the capacitor is large enough, they do so quite enthusiastically.
I ruined a screwdriver of my own that way once, discharging a photoflash cap in a flash head whose control circuit had died with the cap at full charge. Didn't do my hearing any good, either, I'm sure - it took fully half an hour for the ringing to go away.
TV repair shops use a special tool to discharge those caps, basically a high voltage rated resistor pack.
Largely a disappeared skill.
I believe if you are really lucky if you discharge with a screwdriver, the cap can explode, not just melt the screwdriver. Same with batteries, like auto batteries, extra points there with boiling acid and hunks of thick plastic flying around.
Pretty sure a car battery (at least the old school 12V lead acid type) wont explode from a short. I welded a spanner onto the terminals of one once by clumsily dropping it and having it land across the terminals.
Now I have to go look on youtube, to see if anyone's filmed themselves dropping a spanner across a Tesla's battery...
Growing up, my dad had a shirt with acid holes. My mother said he blew up a battery while working on it. My dad was a DYI guy, but didn't regularly work around anything caustic. This would have been early 1980's.
I have seen car batteries explode, always due to bad charging rather than shorting though. (Over charging generates hydrogen and oxygen inside the battery in precisely the correct stoichiometric ratio to go "BOOM!")
(I also had a friend wake up to about $500 worth of dead tropical fish, the morning after plugging a charger and car battery in on the shelf under his tank. Not entirely sure what the mechanism was, but the pH in the tank dropped enough to kill all the fish. )
I used to work at radio shack. The rug behind the counter was very efficient at providing static electricity and whenever we touched the barcode scanning wand - zap. So I got a package of 2kv high voltage capacitors and held one lead while touching the other lead to the wand while rubbing my shoes on the carpet, thereby charging the capacitor. I left the charged capacitor on the POS terminal keyboard for the asshole I worked with to discover. Of course he fell right into my trap and picked up the capacitor. It was pretty funny to me, but not to him. This jerk would often steal my sales and talk down to me, he had it coming.
Did the same at a school trip, after taking off the film I thought I could tear the camera apart, thus exposing the cap connection. Left hand fingers would lean peeerfectly on these metallic parts when playing with the flash.
It became a game between kids. The shock was more intense than harmful, although I saw two white dots on my nail that I assumed was due to the shock.
Today I rip microwave ovens, but I carry gloves and remove caps before anything else.
I shocked myself a few times with these too, in the process of disassembling the cameras. I needed components (capacitors and the flash circuit) for the ignition system for the rocket engines we were building with a friend, so I went to a local photo store and asked nicely for used cameras with flash. They gave me a bag with some 20 of them.
(The shocks I got were through carelessness; I used a kitchen knife to discharge the caps after ripping off the plastic shell of the camera, but sometimes I touched the wrong thing while disassembling. Roughly half the cameras I got had the caps charged to the point they'd spark brightly on discharge, and one of them damaged the knife.)
Context for those too young to remember: back before digital cameras were available and affordable, you could buy disposable cameras in kiosks and stores cheaply. These would come pre-loaded with a single roll of film, and after you used it up (~30 photos), you'd take the whole camera to a photo store. The photo store people would rip the roll out of the camera, develop your photos, and throw the camera away. Some models came with flash, so if you could get the used ones from the store (or their trash), you got a free source of high-voltage capacitors.)
We used a 5kV (DC) power supply for an A-Level physics experiment, and we quickly discovered that could give you a pretty unpleasant zap (peak current was ~3mA IIRC, so not particularly dangerous - one of our teachers initially insisted on us wearing latex gloves, until we demonstrated it arcing holes in them so it just gave you a false sense of safety). We also destroyed a fair number of multimeters that were allegedly rated for the voltage[1] - they started displayed obviously erroneous values.
I also discovered that accidentally holding a charged plate (thinking the supply was turned off) for a while could let you pick up tin foil just by holding your hand above it, which was pretty neat.
[1] IIRC we used a voltage divider to keep the maximum voltage around 500V, and the meters were rated for 1000VDC.
What is the point of those color gradients in the photos? [1] Are they supposed to conceal the chip? If so, that didn't work very well. [2] Just make it completely black, people have failed often enough to properly redact information because they tried to do something fancy, something more visually pleasing. At least unless they did this intentionally, either because they wanted it to be visible but also wanted some deniability as an accident, or to mislead by embedding false information.
Ouch. That was not an intended one. Those colourful overlays are just android stickers. I didn't expect them to be translucent. . :( I fixed it. I would kindly request you to modify / remove the link part please . :(
I'm sorry, but this is your fault. You improperly tried to conceal a picture by being cute instead of effective while trying to earn bragging points with a very public announcement about your hack. You brought the eye of Sauron upon yourself. It'll be a painful lesson to learn, but I'm guessing you won't make this mistake again. Some of us have been there before. Welcome to the club. We've got jackets.
If MDM is deployed by companies, the device may come from the author's employer, friend's employer, government?
Memory ref + CPU ref makes it somewhat identifiable.
If you think the numbers on the chip contain some personally identifiable information: fear not, they are generally just part numbers and sometimes date codes.
If that's not the reason for trying to redact them, what is the reason? I can't think of anything else reasonable.
EDIT: I now realise that this was a very condescending comment to write to someone who, based on the submitted blog post, is considerably better at electronics than I am. Sorry about that!
That's now unfortunately too late, I can no longer edit or delete the comment, maybe one of the mods can censor it. And by the way, you added a new photo to the article but the original file is still there, following the link in my comment still yields the photo with the visible part number. There might very well be people out there that notice that the article has 1.png, 2.png, 3.png, 44.png, an image with something hidden, and then 5.jpg [1] and then start to wonder what 4.png or 4.jpg might look like.
[1] Yes, there are also 5.png, 6.png, and 8.png in between out of order, it is not a perfect pattern, but it is still close enough that one might notice the missing 4.png.
Next step in cheap but effective is building a small waveguide for your arc lighter -- probably easier to target what you want vs the point source you have now.
Can basically be a few pieces of carefully sized tinfoil, or some copper wire with copper clad soldered around it.
Also, the term "Jugaad" for Indian macgyverism is excellent!
The author claimed to use a “cheap electric Arc Gas lighter”, which I had never heard of. I think they actually just mean an electric arc lighter because I wasn’t able to find such a thing (which would presumably mean a butane lighter with an electric arc igniter rather than piezo).
I wondered about this too, since I have never seen on of these. Perhap the author is in a country where manual-light gas stoves are more common? In the US I have never encountered such a stove, and searching target.com (good proxy for common household items) brings up no lighters of this style.
A bit OT but this just reminded me of something I haven't thought about for many many years. Just wanted to share.
I bypassed the payment procedure in a coke vending machine with a lighter.
Germany, around 2004 we had a coke vending machine at school, probably from the mid 90s. Someone told me you get free coke if you flick a (non-piezo) lighter in front of the display at the right time. I didn't believe it one bit, but when I tried it, it actually worked. It quickly spread around our school until months later the service guy fixed it.
Many years later I realized what has happened. The flick of the lighter emitted a strong IR impulse that triggered an infrared receiver (which was probably used for debugging, configuring etc).
This must have caused an interrupt, and if triggered at the same time the machine vended the bottle, it completed vending but never got back to actually decrementing the money you put into it. You could empty out the whole machine with nothing else but 1 Euro and a lighter and you even got your money back.
When my sister lost the "sensor bar" on her Wii I showed her how to use a pair of candles to replace it. The sensor bar is just a a set of IR lights that the camera on the wii-mote detects.
With a clean, dry wick it's pretty easy to get a very still flame for a long, long period of time. Though if you have a fan or something blowing, you're out of luck.
Well then that's my excuse! I thought it did, so I was making sure to point the controller in the proper direction, while my opponent was cheating and flicking it any which way.
Use a candleholder that includes a glass sheath. The solution has been known for a long, long time, because a major cause of flickering unprotected candles -- or even extinguishing them -- is that you walk around while holding them.
Yeah it's funny that it is called a sensor bar when it has no sensors.
For my undergrad, we had a cross-major project to build a robot that shot pingpong balls at various targets that were tagged with IR lights. We used 2 wiimotes to calculate the 3D space.
Yeah I did that one time as well! I had forgotten the sensor bar at someone's place after taking the Wii there.. had it back and home and remembered it's just IR LEDs or whatever, figured two candles should emit the ~same light and, lo and behold, worked quite well! IIRC it was a bit jittery due to the candle flames wavering about, but hey, better than nothing :)
I have a similar experience. 20 years ago a friend told me a trick which only worked on vending machines from a particular brand. It only worked on the drinks with the lowest price. You had to put the exact money in the machine for a certain drink, add one cent and press the button for that drink right when you hear the "click" of the money. You get the drink and your money was increased by one cent. After you were done you could just get the money back. It required some practice but when your timing was good you could empty a complete machine. Since most of the vending machines had redbull and jupiler, which had the highest price, we had alot of free cola/sprite/.... I wonder if it still works.
One of the very first things I did in ~1994 with my brand new 2 meter radio was discover that it would make the vending machine in my high school think a dollar had been inserted.
Being in the embedded safety/security industry for years, piezo igniters and sparklers are one of my go-to system test and side attack tools. They were also effective opening an August smart lock some time ago when one of my coworkers had to enter a room in a hurry and were not carrying their phone with the app. Amazingly a few zaps around the enclosure did it.
The big ones for gas stoves even work some feet away on some badly shielded products. Growing complexity, size/weight reduction and low power technology have made all these devices quite flimsy these days.
I remember reading about a javascript sandbox escape method years ago that involved bunches of jump commands written in such a way that any bit flipped would jump to another jump command directed at your desired code.
The attack relied on cosmic rays flipping bits of memory, but was accelerated by using a light bulb placed near the memory chips to induce heat based errors.
I've often thought about these types of attacks, and wondered how advanced they've become.
Disclaimer: I'm extremely paranoid about computer security to the point where I almost don't care about it anymore and assume that any machine I use is compromised.
As an aside: Is it not required to put a date of publication inside scientific papers? I've always thought that documentation was paramount for papers such as these, and as such the date would be one of the primary pieces of information present, but I've come across many papers (including this one) for which I had to find publication information on third party websites (for this particular paper: Researchgate)
Sure you get a device that you can flash/root/reinstall - but will it be authenticated/allow login by Google/Your company?
> Here our objective was not to break the crypto or recover the data, it was to remove any MDM application and remove all restrictions on the device.
Yes you can remove - resell device. But MDM is not designed to prevent reinstall/selling/whatever.
Beyond Corp principles:
A particular network connection must not determine which services a user can access.
Access to services is granted based on what we know about a user and the device.
All access to services must be authenticated, authorized and encrypted.
Are you able to authorise device with your company/google? We are listening...
Here the scope of the PT was something different than getting access to the filesystem or bypassing corp filters.
Breaking the mdm implemented in the firmware was the crude target.
reply