How to Check for External Control in Gaming Machines Using Bus Monitoring Tools
A bus monitoring tool connects to the machine’s communication port and observes the traffic on the communication bus without interfering with it. It records every message sent between the mainboard and the peripherals. By analyzing this recorded traffic, the operator can identify external control signals — messages that originate from outside the machine and are injected onto the bus. This article explains how to use bus monitoring tools to check for external control on gaming machines.
What Bus Monitoring Tools Record
A bus monitor records four attributes of each bus message: the timestamp (when the message appeared on the bus), the source (which device sent the message — identified by the device address in the message header), the content (the command or data payload of the message), and the timing interval (the time since the previous message from the same source). These four attributes are sufficient to distinguish legitimate internal messages from external control signals.
A legitimate internal message has a source address that matches one of the machine’s peripheral devices or the mainboard. The command content is one of the commands in the machine’s communication protocol. The timing interval between consecutive messages from the same source is within the normal operating range for that device. An external control signal has a source address that does not match any known device (the attacker’s injected signal uses a different or spoofed address), a command content that is not in the machine’s normal operating repertoire (payout triggers, credit injections, reset commands at improbable times), and a timing interval that is inconsistent with normal peripheral operation (messages that arrive too quickly or at regular intervals unconnected to player activity).
Connecting the Bus Monitor to the Machine
The bus monitor connects to the machine’s external communication port through a splitter cable. The splitter passes communication between the mainboard and peripherals while also delivering a copy of the bus traffic to the monitor. The monitor is passive — it observes the traffic without affecting it. The machine and its peripherals continue to operate normally during monitoring.
Connection procedure: power off the machine. Disconnect the communication cable from the machine’s external communication port. Connect the splitter cable to the port. Connect the original communication cable to the splitter’s pass-through connector. Connect the bus monitor to the splitter’s monitor connector. Power on the machine. Verify that all peripherals function normally (this confirms that the splitter is not degrading the communication signal). Start the monitor’s recording function. The monitor is now recording all bus traffic.
Running the Monitoring Session
A monitoring session typically runs for 2-4 hours and captures 10,000-100,000 messages depending on the machine’s communication activity level. This volume is sufficient to establish the machine’s normal traffic pattern and to catch external control signals if they are active during the monitoring period. For machines with intermittent symptoms (once or twice per week), extend the monitoring session to 24-72 hours to capture the external control signal during the window when it is active.
During the monitoring session, the machine should be operating normally with players present. Player interaction generates communication traffic that provides the baseline for comparison. Also include a period with no players present — idle periods are when external control signals are most visible because there is no legitimate communication traffic to mask them. A message on the bus during an idle period is either an external control signal or a machine-initiated diagnostic message. Diagnostic messages are easily identified by their protocol format — any message that is not a diagnostic message and appears during idle is an external control signal.
Analyzing the Monitoring Data
The bus monitor’s software provides analysis tools that highlight anomalous messages. The most useful analysis tool is the source-address filter: display all messages from source addresses that do not appear in the normal traffic pattern during the baseline period. Any message from an unrecognized source address is an external control signal. The second most useful analysis tool is the command-content filter: display all messages whose command content is not in the machine’s normal operating repertoire. A payout-trigger command, a credit-injection command, or a reset command that appears during a period with no player interaction is an external control signal regardless of its source address.
The third analysis tool is the timing-interval filter: display all messages whose timing interval is shorter than the machine’s minimum inter-message interval or that show a perfectly regular interval (mechanical devices produce slightly irregular intervals due to physical variability — a perfectly regular interval indicates an electronic signal generator, not a mechanical peripheral). Any message that combines two or more of these three anomalies (unrecognized source, unrecognized command, impossible timing) is an external control signal with near-certainty.
What External Control Looks Like in the Monitoring Data
A real example from a venue in Malaysia illustrates the pattern. The bus monitor recorded 87,420 messages over a 4-hour monitoring period. The source-address filter identified 23 messages from source address 0xF4 — an address that did not appear in the normal traffic baseline. The command-content filter identified that 19 of these 23 messages were payout-trigger commands. The timing-interval filter identified that all 23 messages occurred at intervals of exactly 180 seconds — a perfectly regular interval inconsistent with any mechanical peripheral. All 23 messages appeared during idle periods when no legitimate bus traffic was present. The analysis was conclusive: 23 external control signals attempted to trigger unauthorized payouts over 4 hours. The venue installed RF filters and the external control signals stopped. The monitoring data provided the evidence that identified the attack method and confirmed that the protection was effective.
Frequently Asked Questions
Q: Does the bus monitor affect machine performance or revenue during monitoring?
A: No. The monitor is passive — it observes bus traffic without injecting signals or modifying messages. The machine operates identically with or without the monitor connected.
Q: How much does a bus monitoring tool cost?
A: Basic monitors with recording and basic analysis cost 200-500 dollars. Advanced monitors with protocol decoding and automated anomaly detection cost 1000-3000 dollars. The basic monitor is sufficient for confirming external control. The advanced monitor provides more diagnostic information for identifying the specific attack method.
Q: Can I leave the bus monitor permanently connected?
A: Yes. Many operators leave a basic monitor permanently connected to provide continuous surveillance. The monitor records continuously and the operator reviews the data weekly or when symptoms appear. Permanent monitoring detects intermittent external control that might be missed by a 2-4 hour monitoring session.
If you suspect external control on your gaming machines, connect a bus monitoring tool and run a monitoring session for 2-4 hours (or longer for intermittent symptoms). The analysis identifies external control signals with near-certainty. Contact us for bus monitor recommendations compatible with your machine models.