I once had the (dis)pleasure of working with these Yomani terminals. I got a development unit (with red text "DO NOT PAY" on the side). I plugged it in my home internet which has a public ip with dhcp just to get it quickly online and keep it out of my internal home network. The next day I got a call from my ISP saying I had a compromised machine in my network with malware. I was like WTF?! and they gave me the mac address and it was the Yomani terminal! I promptply unplugged it from the network and started investigating. Indeed, this development unit had a telnet(!) port open and root login without password was possible. So, having a wide open telnet port on a public ip and it's just a matter of minutes until someone uploads a generic arm malware onto it. I returned the terminal to the vendor with explanation but never got a followup. Lesson learned: never attach anything to public internet, even if it looks secure.

I guess Atos Worldline really doesn't like root passwords.

My thoughts exactly. Why desolder the flash chip before probing for UART? Still, impressive work.

If the integrity protection is like any of the TPM implementations I've seen, it often doesn't apply once the thing is already in memory, just that when it first loads that it (and everything before it) was attested. This matters a lot once you get into the userland, esp with an older system, since any random off the shelf exploit can be chained into modifying kernel memory with the intention of modifying the binfmt loader for loadercode (or anything else). Of course, if the loadercode is just a thin shim to prod the secure firmware and that's what has the tamper mode rather than being two separate firmwares for controlling the display, you probably can't progress very far.

I'm essentially skeptical that if you have the ability to control the linux root filesystem for a very old linux distro that any other security measures for the linux binaries themselves matter.

If you take a look at the binary that decides whether to boot the secure firmware or the tamper screen, it's probably trivial to patch to get the secure firmware running for more inspection. If the point of the linux system is networking and updates, that implies a method for updating the firmware of the secure portion which isn't ideal. If their check for whether it's tampered or not is in the linux userland, I'd be awfully suspect of their firmware update.

What a nice writeup! Just curious - what kind of wire do you use to solder on the pins - enameled?

I wonder if they offer their customers source to keep the Busybox folks happy?

Was my guess as well, maybe it's even possible to use it to flash new keys so the device can be used again?

Now I am curious if I can find a terminal myself, if they are actually getting phased out it might not be too difficult to find a used one...

The look into these is neat but…why immediately open it up and trigger the tamper state? Did they not know most readers would have one?

Any real testing happening in the tamper state might be meaningless. Perhaps the shell is available after the tamper state triggers for resetting purposes.

It just seems like opening it would be the last thing you would try.

The (compromised) Linux decides whether to load the “compromised mode” code or the mp1 secure system? Sounds like an avenue to explore. It says the bootloader itself is secure, but that doesn’t mean much if it’s being loaded into a compromised environment, depending on where it is actually being executed. I guess the coprocessor could be considered a Secure Enclave of Sorts, but the fact that Linux could load a separate bootloader and run that (somehow) is of concern.