Teardown: BlackBerry Smart Card Reader
Years before Steve Jobs showed off the first iPhone, the BlackBerry was already the must-have accessory for mobile professionals. Back then, nobody was worried about watching movies or playing the latest games on their mobile devices, they just wanted a secure and fast way to send and receive email on the go. For that, the BlackBerry was king.
Fast forward to today, and the company is just a shell of what it once was. They don’t even bother making their own hardware anymore. Over the last several years they’ve opted to partner with a series of increasingly obscure manufacturers to produce a handful of lackluster Android phones so they still have something to sell to their dwindling userbase. Anyone excited about the new 5G BlackBerry being built by Texas start-up OnwardMobility? Did you even know it was in the works before now?
But this article isn’t about BlackBerry phones. It’s about something that’s even more irrelevant to consumers: the BlackBerry Smart Card Reader. Technically, this little device isn’t dependent on the phones of the same name, but it makes sense that Research In Motion (which eventually just renamed itself to BlackBerry Limited) would market the gadget under the brand of their most popular product. Though as you might expect, software was available to allow it to work with the BlackBerry phone that you almost certainly owned if you needed a dedicated smart card reader.
For those who might not be aware, a smart card in this context is a two-factor authentication token contained in an ID card. These are used extensively by organizations such as the Department of Defense, where they’re known as Common Access Cards, that require you to insert your ID card into a reader before you can log into a secure computer system. This sleek device was marketed as a portable reader that could connect to computers over USB or Bluetooth. Worn around your neck with the included lanyard, the battery-powered reader allowed the card itself to remain on the user’s body while still being readable by nearby devices.
Civilians will recognize the basic technology from modern “Chip and PIN” debit and credit cards, but we’ve never had to stick one of those into our laptop just to log in. To be sure, the BlackBerry Smart Card Reader was never intended for the average home computer user, it was sold to companies and organizations that had tight security requirements; which just so happened to be the same places that would likely already be using BlackBerry mobile devices.
Of course, times and technology change. These devices once cost $200 apiece and were purchased in vast quantities for distribution to trusted personnel, but are now all but worthless. Even in new and unopened condition, they can be had for as little as $10 USD on eBay. For that price, it’s certainly worth taking a peek inside. Perhaps the hacker community can even find new applications for these once cutting-edge devices.
A Cyberpunk Accessory
The BlackBerry Smart Card Reader looks exactly like the kind of thing I would expect some futuristic military force to use as an authentication device, with a design that’s somehow simultaneously simplistic and aggressive. If somebody told me this thing was a prop from RoboCop or Judge Dredd, I’d believe it.
At least this version, anyway. It seems that the hardware changed a number of times, and each one looks different enough that there’s no mistaking which one is which. It’s probably safe to assume that was intentional from a logistics standpoint. The specimen we’re looking at is the second revision, released in 2009.
The smart card slots into a groove in the front of the device, which keeps it secure while still being completely visible. Only the lower part of the card, where the chip itself is located, is actually covered.
There are no controls or indicators of any sort on the front of the reader. At first glance, you might even think it was some kind of passive holder for the card. Which again, was sort of the point. Defense contractors wouldn’t have worn it all day if it was covered in blinking LEDs and indicators, only modern hackers are into that kind of thing.
On the back there’s small LCD, a tri-color LED, and a single button. A tap of the button turns on the Bluetooth radio and displays the PIN code on the LCD, while holding the button resets the device. There’s no power button, and as long as the battery isn’t flat, the device appears to always be on. Though after awhile it will go into some sort of sleep mode and display “OFF” on the LCD.
Built for Business
The BlackBerry Smart Card Reader easily comes apart after the removal of four T6 screws located behind the battery cover. There wasn’t even a tamper-evident sticker over any of the screw heads, which frankly surprised me for a high security device.
Inside we’re presented with a concise PCB design, without even a hint of silkscreen markings to help us get our bearings. There are no obvious programming headers or debug points. If there was ever a board layout that said “No User Serviceable Parts Inside”, this would be it. Interestingly, while there’s clearly a place where one would have been mounted, the RF shield that would have surrounded the CSR 41B14 Bluetooth chipset has not been installed.
The star of the show would appear to be the Analog Devices AD6529BABCZ, but I’ve been unable to find any documentation on what this chip actually is. But I did run into a few mentions of the AD6528, which is a GSM baseband processor intended for mobile phones and PDAs.
At first I thought it was unrelated, but a close look at some of the features of the chip shows interesting parallels with the Smart Card Reader. The AD6528 has a 32-bit ARM7 processor with onboard RAM, a display interface, integrated USB support, and offers various low power modes. Naturally it also has support for interfacing with the SIM cards, which themselves are very similar to the chips used in smart cards. The dimensions and package of the AD6528 also match the AD6529.
Given these facts, we may be looking at a customized version of the AD6528 that was made specifically for this high-security application. When you’re trying to sell a device to the Department of the Defense, spinning up a new chip is hardly out of the question. This version of the chip may even have been bumped up to Industrial or Military/Aerospace rating.
Next to the AD6529 there’s a Intel 320W30 flash memory chip that likely holds the device’s firmware, and a Samsung K1S32161CD SRAM chip.
Keeping Trim
Easily the most impressive feature of the BlackBerry Smart Card Reader, especially given the era in which it was designed and built, is how thin it is. This is partially due to the fact that there’s absolutely nothing on the back side of the PCB, which allowed it to be pushed as tightly as possible against the inside of the case.
A close look at the chip interface also shows how the designers were able to avoid putting an actual power switch on the device. When a card is fully seated in the reader, a miniature switch is pressed in. We didn’t see this inside the chip reader of the VeriFone 925CTLS payment terminal, as there was no reason to ever shut the hardware down. But in a battery powered device, a function to put the hardware to sleep when a card isn’t present will greatly increase the runtime.
Speaking of the battery, they could have made the BlackBerry Smart Card Reader even slimmer if they hadn’t used the same 1150 mAh C-S2 battery utilized by contemporary BlackBerry phones, though that was a clever decision considering their customers likely already had stockpiles of the cells from their phone fleets.
Putting it to Use
Realistically, the components inside of this device are all so antiquated at this point that there’s not much to salvage other than perhaps the chip interface itself if you’re looking to experiment with smart cards. The enclosure could potentially be reused, and it already has the interface and battery compartment for BlackBerry C-S2 batteries. But unless you’re building a DIY smart card reader, I’m not sure what else the case design would really lend itself to.
Trying to reprogram it would be tricky, to say the least. For one thing, there doesn’t appear to be any public data on the chip that’s driving it. More practically, there’s no sign of a programming header, and trying to remove the BGA flash chip and reading the firmware off of it manually is farther than most hackers would be willing to go.
So can we use it as-is? Unfortunately, that’s not looking very good either. When connected over USB, the reader doesn’t appear to be supported by existing open source smart card libraries such as PCSClite. I can see the reader when scanning for Bluetooth devices, but to date, I’ve been unable to successfully pair with it.
Officially the Windows software for the device supports XP and Vista, so if you could find a copy of it, you could potentially run it in a VM and sniff the USB packets with Wireshark to come up with a modern open source driver. But besides taking on an interesting challenge, there’s not much point in it; you can pick up a newly manufactured smart card reader for about as much as one of these relics costs.
As much as it pains me to say it, I don’t think there’s anything very exciting you can do with the BlackBerry Smart Card Reader. It might be worth picking a few up to complement your dystopian cyberpunk cosplay, but that’s about it. Though if you do manage to come up with something, we’d love to hear about it.
from Blog – Hackaday https://ift.tt/36alVhL
Comments
Post a Comment