I worked for RSA for 14 years and did some tear down of these devices during some destructive testing and found an issue with a battery tab not being soldered properly which would cause the device to loose connection with the device an led causing the device to expire earlier than expected. Learned so much working there, it was a good expeu
The clear material is known as potting compound. the pcb will be put in a mold and have a resin liquid pored over it, when it sets it sets rock hard or very hard rubber depending on the type.
The potting compound looks like it may be MG Chemicals 832C. 832C can be dissolved with Acetone, though, it takes a while, lol. Warming it also makes removal much easier!
The epoxy can actually be removed with some snips or pliers - much easier than conformal coating as it just comes off in one piece. Also, the outer plastic shell can be pried off with a screwdriver and the dremel is completely unnecessary.
I just received a new token and the expiry date on the back is 4 years from now. My token that expired a week ago now just displays "OFF". Thanks for the video. I can put my razor blade away and not bother trying to open my expired device.
Seems like a pretty robust device. I wonder if one managed to disassemble it without destroying it, and then replaced the crystal with a faster one, overclocking the device, if one could obtain future codes by allowing it to run fast.
I firmly believe that we could manipulate the device clock to display tokencodes far faster then the common 30 or 60 second setting thus getting tokencodes "from the future" if you will. But how could we use that to our advantage? When the user uses the token FOR THE FIRST TIME the window for allowable tokencodes is +- 12 hours I believe. Once the user auths once the window becomes much smaller usually +-3 minutes allowing for only 7 good tokencodes before putting the user into a "next tokencode mode" wherby they are asked to provide the next consecutive tokencode or simply denying access with a bad tokencode event and after like 3 of those the token becomes disabled prompting a call to tech support lol. Even if we were succesful the token drift would simply be adjusted a minute or two changing the aforementioned window of 7 allowable tokencodes. I fail to see any advantage do you see one? Another point... If you had a software token and installed it on a windows machine and adjusted the clock on the windows machine that too would display tokens from the future as well.
They have a life span of 2, 3, or 5 years. The battery will out last the expiration date of the token. After the token expires it can not be reused ever
I received a new device from my bank a couple of months before mine was due to expire. I also had a few notifications on my online banking page warning my current device would be expiring soon. My bank does not charge for these devices so I get them for free. The bank must believe that providing these for free is cheaper than having disputed transactions in future.
The key is stored in SRAM. SRAM requires power to function. When power is removed from SRAM POOF goes whatever is stored in SRAM in this case the key/seed rec.
Hi! Thanks for this video. Could you please explain more on the synchronisation of clocks of the token (which is a stand alone equipment) with the server
My rough understanding is the server knows what the current/previous/next code should be so if you are ever so slightly off it will "know" and then ask you to wait for it to change and re-enter. I am guessing it keeps some clock-drift-offset on the server side because that doesn't happen very often in my experience.
@@matthewmiller6068 I feel it some encryption by the token using the time stamp, which when decrypted by the server allows the entry if the time matches. This is my understanding..
What? That makes no sense. No one is going take the time to answer your question if you can't be bothered to make it intelligible. But let me try to answer your question: u same this on cn use the sec. id off. as on it as found and how to or off. token. I hope that helps answer your question.
@@daveb5041 conversely, secu. token on off found seed off use not. as token, use not u same id spawn sub-bittle much... but that's just an assumption on my part.
That was about as exciting as a solar powered calculator tear down without the solar panel. Did you really need 15 minutes to show it's just a battery LCD and blob chip? Just chuck that thing in the trash and delete the video as nothing interesting can come from it no need to document the serial number.
I worked for RSA for 14 years and did some tear down of these devices during some destructive testing and found an issue with a battery tab not being soldered properly which would cause the device to loose connection with the device an led causing the device to expire earlier than expected. Learned so much working there, it was a good expeu
Saved me from destroying the one my job gave me trying to figure out how to change the battery. Thanks for the video!
Great!
The clear material is known as potting compound. the pcb will be put in a mold and have a resin liquid pored over it, when it sets it sets rock hard or very hard rubber depending on the type.
The potting compound looks like it may be MG Chemicals 832C. 832C can be dissolved with Acetone, though, it takes a while, lol. Warming it also makes removal much easier!
The epoxy can actually be removed with some snips or pliers - much easier than conformal coating as it just comes off in one piece. Also, the outer plastic shell can be pried off with a screwdriver and the dremel is completely unnecessary.
I just received a new token and the expiry date on the back is 4 years from now. My token that expired a week ago now just displays "OFF". Thanks for the video. I can put my razor blade away and not bother trying to open my expired device.
"...potted..."
Not heard that since the early 80s 😁
Seems like a pretty robust device. I wonder if one managed to disassemble it without destroying it, and then replaced the crystal with a faster one, overclocking the device, if one could obtain future codes by allowing it to run fast.
I firmly believe that we could manipulate the device clock to display tokencodes far faster then the common 30 or 60 second setting thus getting tokencodes "from the future" if you will. But how could we use that to our advantage? When the user uses the token FOR THE FIRST TIME the window for allowable tokencodes is +- 12 hours I believe. Once the user auths once the window becomes much smaller usually +-3 minutes allowing for only 7 good tokencodes before putting the user into a "next tokencode mode" wherby they are asked to provide the next consecutive tokencode or simply denying access with a bad tokencode event and after like 3 of those the token becomes disabled prompting a call to tech support lol. Even if we were succesful the token drift would simply be adjusted a minute or two changing the aforementioned window of 7 allowable tokencodes. I fail to see any advantage do you see one?
Another point... If you had a software token and installed it on a windows machine and adjusted the clock on the windows machine that too would display tokens from the future as well.
VanillaSlice damn
Thanks for that , I was planning to try to change the battery later as the new one i should be getting would have to be on my mobile phone
I love this channel but this time I wish I hadn't clicked on it.
Nice destruction :D
can we not dissolve the covering using carbon tetra chloride or Chloral-benzine or some other solvent.
So basically if the battery dies, they want you to shred it and buy/issue a new one.
They have a life span of 2, 3, or 5 years. The battery will out last the expiration date of the token. After the token expires it can not be reused ever
I received a new device from my bank a couple of months before mine was due to expire. I also had a few notifications on my online banking page warning my current device would be expiring soon. My bank does not charge for these devices so I get them for free. The bank must believe that providing these for free is cheaper than having disputed transactions in future.
Surprised it didn’t explode like the Mission Impossible series
Cool, saved me breaking open the expired one I have to dispose of to see what's inside...about what I guessed...
Do the require internet network?? Or can they be tracked by Gps?
Neither. They are based on synchronized time.
Could you have dissolved the potting with acetone?
WOW! The Father Guido Sarducci of tear downs, NICE!!
Brigns back horrible memories of a company I used to work for.
:-O
Underrated comment.
interesting teardown, i have an expired one so i suppose the only useful thing inside is the CR2032 coin battery.
i found one what can i do with it?
I bet the MCU wiped the seed code as soon as it reset.
I wouldn't be surprised if this was the case. There may be other tampering proof mechanisms builtin.
The key is stored in SRAM. SRAM requires power to function. When power is removed from SRAM POOF goes whatever is stored in SRAM in this case the key/seed rec.
is it easy to reuse the lcd ?
Hi! Thanks for this video. Could you please explain more on the synchronisation of clocks of the token (which is a stand alone equipment) with the server
My rough understanding is the server knows what the current/previous/next code should be so if you are ever so slightly off it will "know" and then ask you to wait for it to change and re-enter. I am guessing it keeps some clock-drift-offset on the server side because that doesn't happen very often in my experience.
@@matthewmiller6068 I feel it some encryption by the token using the time stamp, which when decrypted by the server allows the entry if the time matches. This is my understanding..
i was found as this secu id token who is same this off. we can on it and how to use it??
What? That makes no sense. No one is going take the time to answer your question if you can't be bothered to make it intelligible. But let me try to answer your question: u same this on cn use the sec. id off. as on it as found and how to or off. token.
I hope that helps answer your question.
@@daveb5041 ... thanks for answering the question. I was wondering the same thing myself. ;)
@@daveb5041 conversely, secu. token on off found seed off use not. as token, use not u same id spawn sub-bittle much... but that's just an assumption on my part.
I found this in india in my office don't what is this please tell me if you know
If there's no owner in the vicinity, just dispose of it, it's of no use to you anyway.
You talk like Elmer fudge I’ll get you wiwwle wabbet
That was about as exciting as a solar powered calculator tear down without the solar panel. Did you really need 15 minutes to show it's just a battery LCD and blob chip? Just chuck that thing in the trash and delete the video as nothing interesting can come from it no need to document the serial number.
Ironically enough, here you are wasting your time to comment on it.
Bla Bla Bla