The Volterman Scam Part 2.

Well, the email chain continues on from the previous post (here) and I am still calling this a total scam. I actually had gotten an email thread from somebody else who had been dealing with Volterman over a wallet with issues (staying connected to a phone) and Volterman were lets say, not too helpful dealing with him. I threatened to leak the entire conversation however decided against this as it did contain personal details of the guy. After this, Volterman decided to actually send me my wallet…

So, after this threat (Email 161 – yes, 161 emails) I got this email back:

Followed by this email (once confirming my details were correct):

So, as expected I didn’t believe them at all. And then suddenly a few weeks later:

So now we start the dodgy desk unboxing:

Wow – so premium
What is this chonker?

As expected – this wallet is a chonker (mine is around 19.5mm thick). There is no way I can get my cards in it along with cash and still successfully fit it in my pocket. Also I seriously don’t trust it enough to both carry this around (after the emails that have gone back and forward this could be running any malicious app) and also don’t trust it is durable enough to be carried close to my man parts without a risk of smelling like bacon.

The serial number indicates they’ve potentially made around 8000 units right now. The IMEI manufacturer is actually “Volterman” so they’ve somewhat made some effort there.

Inside the wallet is a single button, the magnetic charging port, a camera and proximity sensor and the speaker grille. Not that exciting. Did I mention the leather feels the cheapest of the cheap? It is leather, but it isn’t the best. I also paid for engraving but this didn’t include any.

Hooking this wallet up to my computer I see it is running Android:

And just like that I have root access on this thing. I was actually expecting to put up a bit more of a fight. The “Firmware Update” on the app simply installs the new version of the app on the wallet via ADB it seems.

The app is super basic allowing you to turn on Wireless Charging, make it yell at you, make it take a photo (I didn’t bother to test this as I didn’t know if it was going to upload anywhere outside of the wallet) and also activate the hotspot feature.

Since this wallet is not one I can use I thought I’d tear it down – it didn’t actually take much to rip open with my bare hands. Just like that I have the “smarts” of the wallet along with some scrap leather…

Something to note is this wallet is supposed to have GPS – it was one of the main features so without GPS what use is this wallet? I noted that pretty-much every feature in the app required you to connect the wallet up via WiFi. If I lost this turd then I have to be reliant on A-GPS to get it back (which, is not accurate at all) – it does talk back to the Volterman API over the mobile network.

Tearing it down by unscrewing things we see the massive 2600 2100 mAh battery, a 64gb MicroSD card, a ucom Armenia sim card (more on this later). Under the mainboard is the wireless charging coil and also some sexy looking uart pins on the main board – the uart pins were my backup if I was unable to gain root by other methods but it turned out to be trivially easy.

I read up online the SD card was fake – well, I can confirm that:

The SD card does indeed advertise itself as a 64gb card but only has 32gb of capacity. This is why I am calling this wallet a total scam.

The CPU in this wallet is a Mediatek MT6580M – looking further into the build.prop:

[ro.build.date.utc]: [1558147576]
[ro.build.date]: [2019年 05月 18日 星期六 10:46:16 CST]
[ro.build.description]: [full_rs610-userdebug 5.1 LMY47I 1558147499 test-keys]
[ro.build.display.id]: [ZWEAR_1879M_RELEASE_V1.4]
[ro.build.fingerprint]: [alps/full_rs610/rs610:5.1/LMY47I/1558147499:userdebug/test-keys]
[ro.build.flavor]: [full_rs610-userdebug]

Yep – Android 5.1 on a wallet. The sim card works if put into another device but doesn’t have data active (nor does it on the wallet itself – I can’t even top it up!) – I did then find out the APN “volterman” only allows access to “api.volterman.com” – I couldn’t get data to pass to other destinations without sending them more money. Despite me forging the status approval code for the API callback from Ameria Bank there must have been either an additional step, or behind the scenes checking to actually check funds were deposited:

The website does show the last wallet location but it was not at all accurate. Also, it did seem suspicious that when I removed the app off my phone the location couldn’t update:

As I already had adb shell access I attempted to see if this turd was running a display manager of any sort – using Scrcpy I was able to actually play around with this. It seriously seems that this wallet is running a watch-like build of Android 5.1 which is also near-stock. Some screenshots below:

I did grab the service apk from the wallet (https://murfy.nz/files/Volterman.apk) for anyone wanting to disassemble and reverse-engineer it. I did start, but my experience with Android is rather dated now.

Thanks to /u/GMMan_BZFlag/over on Reddit here’s what the app seems to do. I’ve also dumped the firmware of the wallet and am looking over this now:

Poking through the APK, looks like it makes a phone call to a service number to check balance, report battery status, report location, and reads the screen to get the response. Weird system, I bet something else in the OS is handling that (hence the “USSD code running” box that pops up). A reference to their web API indicates it’s used to do registration and to upload photos when someone opens the wallet, if you have that enabled.

I can’t imagine this thing is very secure, what with the APK signed with the default Android development key that’s publicly available. Probably easy to connect to someone’s wallet (it’ll accept any Bluetooth pairing request) and upload a trojanized version of the app.

Full thread: https://www.reddit.com/r/shittykickstarters/comments/n7op69/volterman_i_got_my_smart_wallet_and_have_been/gxgso46?utm_source=share&utm_medium=web2x&context=3

In conclusion – this isn’t even worth the price I paid for it. The features are complete garbage and the wallet is an absolute chonker. I’ll continue to look more into the software side of things over the coming week and will update this post. I also do feel for the people who have not received their wallet but seriously you’re not missing out on much. This wallet has rushed, hacked together software complete with rubbish hardware and you’ll struggle to squeeze this into your pocket. I also highly doubt anyone actually working at Volterman will be using this themselves.

Leave a Reply

Your email address will not be published. Required fields are marked *