How Hidden Control Commands Affect Machine Results
Every gaming machine has two sets of commands: the ones the player sees, and the ones the player never sees. The player sees the bet button, the spin button, the cash-out button. These are the visible commands that control the visible game. But behind these visible commands, the machine’s internal communication bus carries a second set of commands that control machine behavior: award bonus rounds, modify payout percentages, activate jackpots, reset credit counters, adjust game difficulty, and enter test mode. These hidden commands are used by maintenance technicians, by the machine’s internal logic, and by attackers who exploit them. This article is about the hidden commands: what they are, how they affect machine results, how they can be exploited, and how to protect against hidden command attacks.
The Machine’s Two Command Systems
To understand hidden commands, you need to understand that gaming machines operate two parallel command systems on their internal communication bus.
The visible command system: This is the game interface — the commands that are initiated by player inputs. When the player presses the bet button, a command is sent on the bus: “player pressed bet.” When the player presses spin, a command is sent: “player pressed spin.” These commands are expected and legitimate. The machine processes them and generates results. The player sees the results on the screen. This is the public face of machine operation.
The hidden command system: This is the maintenance and configuration interface — commands that are not initiated by players but by technicians, diagnostic tools, and internal machine logic. Examples include a command to set the payout percentage to 87%, a command to add a diagnostic credit counter that is not reflected in the operator’s cash counter, a command to enter test mode where payouts are altered, a command to award a jackpot without the normal jackpot trigger conditions being met, a command to suppress the logging of certain transaction types. These commands are not part of the normal game flow. They are administrative functions that exist for maintenance, testing, and configuration purposes. The player never sees them and, in most machine designs, cannot see them.
The critical vulnerability is that the communication bus does not distinguish between visible and hidden commands. Both command types travel on the same bus as identical data packets. The mainboard receives every packet and acts on it. If the packet contains a valid command that matches the machine’s protocol, the mainboard executes it regardless of whether the command is a visible game command or a hidden maintenance command. The attacker who can send valid packets can send any command the protocol supports, including the hidden ones. The mainboard does not know, and does not ask, whether the command originated from a legitimate source or from an external device.
Types of Hidden Commands and Their Effects
Hidden commands fall into several categories based on their effect on machine results.
Credit manipulation commands: These commands add or subtract credits through maintenance channels that bypass the normal cash-to-credit process. A credit-add command increases the credit counter without any money being inserted. A credit-suppress command prevents credits from being counted while the machine continues to operate normally. A credit-zero command resets the credit counter to zero, erasing all accumulated credits without paying them out. The result is credit counter manipulation that directly affects revenue: credits are added that should have been purchased, and credits are erased that should have been paid out.
Payout modification commands: These commands alter the machine’s payout behavior through configuration commands. A payout-ratio command sets the machine to pay out a different percentage than the configured value. A jackpot-trigger command awards a jackpot outside the normal probability triggers. A bonus-award command activates a bonus round that was not earned through normal game play. The result is altered game economics: the machine pays out more than the operator intended, reducing profit margin or, in severe cases, creating a situation where players can systematically profit from the machine.
Data suppression commands: These commands alter what the machine records. A log-filter command prevents specific transaction types from being logged. A counter-adjust command corrects a counter to a different value. A timestamp-modify command changes the timestamps on logged events to a different time period. The result is that the machine’s internal records no longer reflect actual activity, making revenue reconciliation unreliable and enabling the attacker to extract value while the records show normal operation.
Mode-switching commands: These commands change the machine’s operating mode. A test-mode command puts the machine into diagnostic mode where security features may be bypassed. A service-mode command opens configuration access without the normal access restrictions. A demo-mode command puts the machine into free-play mode where no money is required. The result is that the attacker gains access to machine functions that are normally restricted, enabling further exploitation.
How Attackers Send Hidden Commands
Attackers send hidden commands through the same channels used for signal injection: RF injection, conducted interference through accessible ports, or direct wire connection for machines where internal wiring is exposed.
The process follows a consistent pattern. First, the attacker captures the machine’s communication protocol by sniffing the communication bus or by obtaining protocol documentation. This gives them the binary format of every command the machine supports, including the hidden commands. Second, the attacker builds a custom command packet for the specific hidden command they want to send. Third, they transmit the packet using the attack device — typically via RF injection to avoid physical proximity requirements. Fourth, the mainboard receives the packet, validates it against the protocol specification, and executes it. The command is executed because it is valid. The machine cannot distinguish between a legitimate hidden command from an internal diagnostic tool and a forged hidden command from an external attacker.
The attacker often combines hidden commands with other attacks. They might inject a credit-add command to give themselves free credits, then suppress the logging of those credits so the operator’s reconciliation does not show the discrepancy, then trigger a bonus payout to convert the free credits into cash, then zero the credit counter to remove all evidence. This multi-step sequence uses multiple hidden commands to extract value through a chain that leaves minimal trace because the logging was suppressed at the critical step.
Protecting Against Hidden Command Attacks
The primary countermeasure is a bus monitoring device that validates all incoming commands, not just the visible ones. The monitor maintains a whitelist of which command types are allowed from which sources. Hidden maintenance commands that originate from external devices — identified by their electrical fingerprint and protocol characteristics — are blocked. Only commands that originate from legitimate internal diagnostic tools are allowed through. This prevents external attackers from sending hidden commands even if they have correctly captured and replicated the command packet format.
Secondary countermeasures include disabling unused diagnostic ports so that no external device can access the communication bus through them, changing default maintenance access PINs from factory settings so that even if the attacker sends a configuration command, it requires the proper PIN to execute, and implementing external transaction logging that records all machine activity in an independent log that the machine’s own configuration commands cannot modify. Our guide covers hidden command detection and prevention.
Frequently Asked Questions
Can I see which hidden commands are being sent on my machines?
Yes, if you have a bus monitoring device that logs communication bus activity. The device records every packet on the bus, including hidden commands. You can review the log to see which commands were sent, when, and from what source. If the log shows maintenance commands that you did not initiate, that is a security event requiring investigation. Without a monitoring device, you cannot see hidden commands because the machine does not display them in its normal interface.
Are maintenance technicians a threat for hidden command abuse?
Yes. A technician with legitimate access to the maintenance interface can send hidden commands that affect machine results. The technician might do this maliciously or might do it inadvertently — for example, entering test mode during a repair visit and forgetting to exit before leaving. The solution is to log every maintenance command with timestamp and technician identity, review maintenance logs regularly, and require a second-person verification for specific high-impact commands like payout ratio changes and credit counter adjustments.
Do all gaming machines have hidden commands?
Yes. All gaming machines have maintenance and diagnostic functionality implemented through hidden commands because they require maintenance. Technicians need to be able to configure machines, diagnose problems, and run test sequences. This functionality is standard and necessary. The vulnerability is not the existence of hidden commands — it is the lack of authentication for those commands. Most machines do not authenticate the source of a hidden command, only the command’s format. This makes them exploitable by attackers who can format a command correctly, regardless of whether they have legitimate maintenance access.
Hidden But Not Undetectable
Hidden commands are invisible by design, but they are not undetectable. A bus monitor that logs all bus activity, an external reconciliation system that compares machine self-reporting against independent measurement, and regular maintenance log review will catch hidden command attacks within hours of their occurrence. The key is to implement monitoring that sees what the machine itself does not choose to show. The machine’s hiding of its hidden commands protects the attacker. Your independent monitoring reverses that protection.