Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The fiscal printer is part of the cash register. This is used to keep track of all income that a retailer would make in a day. The integrity of the device is marked with a seal to show that it has not been tampered with.

How does this register ensure that all items are recorded? The device must record every transaction processed by the printer inside an append-only internal memory and a special SD card called DGFE. Most fiscal printers have two units: the fiscal unit and the management unit. The fiscal unit is an MCU that connects to the append only memory, the PoS devices (printer, cash drawer, etc.) The management unit contains a full computer with a Linux or Android distribution.

The Italretail SpiceT fiscal printer is an Android-based printer that exchanges data between the management unit and the fiscal unit over UART. This comes with a custom ROM image with 4 custom apps on the OS and several default items. These app installations normally happen over a USB plugin. It is trivial to install a custom app this way as an attacker.

The UART port, used to talk to the fiscal unit, can be reached via the /dev/ttymxc4 character device. The permissions for this are rw-rw-rw-, meaning that ALL users can use the device!

The UART communication supports two different protocols: XON/XOFF and CUSTOM. CUSTOM uses a Baud rate of 19200, odd parity, 7 bits data length and 1 bit stop. The packets are in the following format:

• STX: Start the frame signal. Always 0x2.
• CNT: The frame counters. 2 bytes from 00 to 99 in decimal.
• IDENT: Packet identifier that is simply 1 ASCII character.
• CMD: The command to execute in the packet (4 bytes) alongside parameters. The codes range from 1000 to gather information and 9000 for admin actions, like firmware updates.
• CKS: Checksum. This is just the sum mod 100 of the CNT,IDENT,CMD fields.
• ETX: The end of the frame (0x3).

A successful response comes in three parts: ACK (0x6), CMD_HEADER and RESP. If there was an error, then the ACK becomes 0x15 and there is an error code after this. The author chose to setup Frida on the device driver, hooking the read and write syscalls. While viewing this, they noticed that several undocumented commands were being used.

One of these undocumented commands was 4003. This command would allow for the starting of a legit print, pausing it, print a BUNCH of fake receipts then close out the original one. This means that an auditor could verify what was printer but NOT everything would be written to the DGFE. Problem!

Remember how the DGFE was append only? That just isn't the case! The code 741x could be used to delete or overwrite the files here. Yikes! Good find that compromises the use of the whole system.