KhadashPay V2.0

The KhadashPay V2.0 is a new and improved version of the open-source payment system that I released seven months ago. 

Unlike its four-MCU predecessor, the KhadashPay V2.0 requires only one microcontroller. It preserves the full functionality of the KhadashPay V1.0 while being faster and more user-friendly than it. More than that - KhadashPay V2.0 is much more stable than the previous version of the KhadashPay and largely free of bugs and glitches.

I made KhadashPay because I wanted to provide business owners with the opportunity to easily deploy a card payment system in their store without having to buy an expensive terminal, pay fees for each transaction, and waste time and resources dealing with the bank.

As for the customers of the store where the KhadashPay is deployed, KhadashPay doesn't keep any logs whatsoever and doesn't require a bit of your personal information to create an account.

The name KhadashPay is a combination of two words - Khadash (Hebrew: חדש - New) and Pay.

Before you continue reading this instructable, I would like to remind you that this payment system isn't connected to any existing financial institution. It works completely offline, and all the money kept in it is nothing more than just numbers entered by the operator and stored in the ESP32's built-in flash memory (in an encrypted form).

And one more thing, The KhadashPay V2.0 is incompatible with the KhadashPay V1.0.

• ESP32 x1
• 2.4 Inch TFT LCD with ILI9341 x1
• Mifare RC522 RFID Reader x1
• 4x4 Keypad x1
• RFID cards x4
• 10µF capacitor x1 *optional

First things first, you can't have a secure system without strong cryptography behind it. I could've used AES or Serpent encryption algorithms. But I've decided to follow the principle "better safe than sorry" and adopted the encryption algorithm from Midbar to encrypt user data on KhadashPay.

Another cool feature provided to you by KhadashPay is the "HMAC-SHA256"-based integrity verification.

Before encrypting the user data, KhadashPay computes the tag for that data and encrypts it.

Later on, when KhadashPay decrypts your data, it also decrypts the previously calculated tag and computes a new tag for the newly decrypted data. It then compares both tags, and if they don't match - KhadashPay notifies you that the integrity verification failed.

Even though KhadashPay can't decrypt user data without the user's card, I still decided to add an additional check, just in case. 

The so-called "Belonging Check" (didn't really know what else to call it) is a feature that allows the KhadashPay to verify whether the record with the balance belongs to the card that is taped on the RFID reader or not.

If you've never flashed ESP32 before you need to configure Arduino IDE and install CP210x driver to upload the firmware into the board, you can download the CP210x driver for ESP32 here: https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers

Configuring IDE isn't a part of this tutorial. You can read about it here: https://randomnerdtutorials.com/installing-the-esp32-board-in-arduino-ide-windows-instructions/

You can download the firmware for KhadashPay from one of these sources.

SourceForge: https://sourceforge.net/projects/khadashpay/

OSDN: https://osdn.net/projects/khadashpay/

GitHub: https://github.com/Northstrix/KhadashPay

If you just need the firmware for the device alongside the RNG, then I would advise you to download a 0.8 MB archive either from SourceForge or OSDN.

But if you need the firmware for all versions of KhadashPay alongside the extra code, photos, and diagrams, in that case, I would advise you to download the 67.6 MB archive from GitHub.

TFT_eSPI: https://github.com/Bodmer/TFT_eSPI

rfid: https://github.com/miguelbalboa/rfid

Keypad: https://github.com/Chris--A/Keypad

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

TFT_eSPI Library requires the config to be adjusted depending on the display and the board that drives that display. Initially, I wanted to write the mini-guide on adjusting the config for the ILI9341 display to be properly used on the ESP32's HSPI. But then I realized that it would be more convenient to attach the adjusted config to the firmware and tell you where to place it.

Take the "User_Setup.h" file from the "V2.0\ESP32_Version" folder and place it in the "C:\Program Files (x86)\Arduino\libraries\TFT_eSPI-master" folder.

The primary purpose of the ESP32 Filesystem Uploader is to let you upload files into ESP's filesystem. In this tutorial, the purpose of this tool is to upload an empty SPIFFS image into ESP.

Download the file called ESP32FS-1.0.zip from https://github.com/me-no-dev/arduino-esp32fs-plugin/releases/

And then extract the content of the archive into the "...\Arduino\Tools\" folder.

After that, restart the Arduino IDE.

You have to switch the partition scheme to the "No OTA (2MB APP/2MB SPIFFS)" before you continue working with ESP32 because the firmware for the vault is too big for the default partition.

Connect the ESP32 that you're going to use as a core of the vault to the computer. Click Tools -> ESP32 Sketch Data Upload. Then click Yes in the pop-up window. The program is going to format the built-in flash memory.

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them

It's entirely up to you how to generate the keys. I can only offer you an option to do so.

I've modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk!

To generate the keys - launch gen.exe from the "V2.0\ESP32_Version\Untested RNG" folder and click the "Generate keys for KhadashPay V2.0" button. The background turns from dark gray to light gray when you press that button.

Open the "Firmware.ino" file from the "V2.0\ESP32_Version\Firmware" folder and replace my keys with those you've generated.

Upload the firmware from the "V2.0\ESP32_Version\Firmware" folder into the ESP32.

I don't think it would be hard, especially compared to the KhadashPay V1.0.

Just like the Midbar V4.0, KhadashPay V2.0 has six lock screens. KhadashPay V2.0 randomly chooses the lock screen at startup.

After the KhadashPay has chosen the lock screen, it displays the "חדשפיי" inscription with the shifting background and the "Tap RFID card N1" inscription on the bottom of the lock screen.

*Credit for photos:

Austin:

Photo by MJ Tangonan on Unsplash

Dallas:

Photo by Erin Hervey on Unsplash

Minneapolis:

Photo by Steijn Leijzer on Unsplash

Montreal:

Photo by Michael Beener on Unsplash

San Francisco:

Photo by Josh Bean on Unsplash

Tel Aviv:

Photo by Shai Pal on Unsplash

After you've powered the device up, tap four RFID cards on the RFID reader one after another. The most important thing here is to tap the cards in the same order every time you unlock KhadashPay. Otherwise, it just won't unlock.

If you don't have four cards, you can tap one card four times.

And by the way, the first card you tap on the RFID reader becomes the "operator card" right after you set the master password. You'll need this information later in this tutorial. For now, just remember it.

To use the KhadashPay, you first need to set the master password.

While entering the master password on the 4x4 keypad, note that the '*' key serves as a backspace.

And remember that you can't change the master password without losing the ability to decrypt all user data stored on the ESP32!

KhadashPay won't be able to decrypt the user data without the master password because the keys for the encryption algorithms are partially derived from it. Perhaps, it won't even unlock without the correct master password.

When you're done entering the master password, press either the '#" or 'C' key on the keypad to finish the input and set the master password.

After you've unlocked the KhadashPay and got to the menu:

• Press the "0" key on the 4x4 keypad to go down the menu;
• Press the "8" key on the 4x4 keypad to go up the menu;
• Press the "#" key on the 4x4 keypad to perform the selected action;
• Press the 'D' key on the 4x4 keypad to show the random lock screen. After that, press any key to return to the menu.

Ok, let's start with the facts about the KhadashPay account.

• Each account is bound to the RFID card and PIN;
• The PIN can have a length from 1 to 8 characters;
• The PIN can have the following characters: '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'D';
• A client can create several accounts using the same card as long as the pins are different;
• The maximum amount of money stored in the account is only limited by the double variable type (don't worry about that, the KhadashPay can still store a 15-digit number without any problems);
• Not even the owner of the KhadashPay can see your balance without your card.

To create an account on KhadashPay V2.0:

Operator:

• Select the "New Account" line in the menu;
• Press the '#' key on the 4x4 keypad;
• Tap the operator RFID card on the RFID reader;
• Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

• Tap your RFID card on the RFID reader;
• Set your PIN;
• Press the '#' key on the 4x4 keypad;
• Enter the PIN that you've set again;
• Press the '#' key on the 4x4 keypad.

To put money into the account:

Operator:

• Select the "Put Money In" line in the menu;
• Press the '#' key on the 4x4 keypad;
• Tap the operator RFID card on the RFID reader;
• Enter the amount of money to be put into the client's account;
• Press the '#' key on the 4x4 keypad;
• Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

• Tap your RFID card on the RFID reader;
• Enter your PIN;
• Press the '#' key on the 4x4 keypad.

To make a sale:

Operator:

• Select the "Make A Sale" line in the menu;
• Press the '#' key on the 4x4 keypad;
• Tap the operator RFID card on the RFID reader;
• Enter the sale amount;
• Press the '#' key on the 4x4 keypad;
• Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

• Tap your RFID card on the RFID reader;
• Enter your PIN;
• Press the '#' key on the 4x4 keypad.

To view balance:

Operator:

• Select the "View Balance" line in the menu;
• Press the '#' key on the 4x4 keypad;
• Tap the operator RFID card on the RFID reader;
• Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

• Tap your RFID card on the RFID reader;
• Enter your PIN;
• Press the '#' key on the 4x4 keypad.

As flawed as KhadashPay V2.0 is, it's significantly better than KhadashPay V1.0.

At first, I wanted to make it fully compatible with the KhadashPay V1.0, but then I realized that the KhadashPay V1.0 was more like an unstable, laggy, and glitchy proof of concept than a good-working payment system. And so, after spending some time contemplating what the "fully working KhadashPay" could be, I've decided to use Midbar V4.0 as a base for the new KhadashPay.

I hope I made the KhadashPay V2.0 "good enough" for you to use it. Anyway, KhadashPay's source code is distributed under the MIT license, so if you want to make your own version of the KhadashPay or change something in it, don't wait for anyone else to do it for you. Take the initiative into your own hands and do it! Don't forget that there's always room for improvement, even if it seems that there's none.

If you like this tutorial, please share it.

Thank you for reading this tutorial.