Gas Pump Skimmers

Contributors: Nate
Favorited Favorite 19


We were able to pull the firmware from the PIC using a PICKit 3. You can get a copy of the HEX file here. The firmware on all three boards was identical. The firmware is curiously small, occupying 0x0000 to 0x07F0 (about 2,000 bytes). I sneeze Arduino sketches that are bigger than that.

Update: A few readers pointed out the fuse bits have been set to protect and prevent reading of the firmware. Decapsulation and fuse clearing would be the next step but is beyond our capabilities at the moment.

One unknown: Why use a PIC18F4550 at all? It’s more powerful with way more flash than is needed. You could do this with a smaller device like an ATtiny or a cheaper device like an ARM-M0 (SAMD11s are amazing). Perhaps the extra pins are needed for keypad decoding. Perhaps the PIC18F4550 is very low cost wherever these devices are made. Perhaps this device was designed by someone and the design was never re-visited to reduce costs (who cares when the BOM on this skimmer is already less than $5?).

I am not a hacker, I just play one on TV (poorly). If you are able to decompile the HEX code into assembly and can make some sense of the function of the firmware, please do so. We already know enough about the available commands to erase and disable the device. If you are able to decipher additional functionality or interesting characteristics please let us know!