The trajectory

How a proprietary PoS was reverse-engineered from the outside in

A chapter-by-chapter walkthrough: the 50 restaurants that said no, the concierge MVP that proved demand, the MITM capture that cracked the protocol, the APK decompile that filled in the gaps, and the agent that runs in production today.

Chapters

  1. Chapter 00

    Overview

    A payment product that required reverse-engineering a proprietary PoS to ship. Here is what we did and why.

    Read
  2. Chapter 01

    The wall

    50 nos, one yes — and what finally made the first restaurant say yes.

    Read
  3. Chapter 02

    Concierge MVP

    Two founders, two phones, one dining room, and roughly 20 payments processed by hand.

    Read
  4. Chapter 03

    The hypothesis

    Can we remove ourselves from the loop? The answer turned on whether we could talk to the PoS the way the waiter's handheld did.

    Read
  5. Chapter 04

    The environment

    The restaurant LAN, the PoS server, the Android handhelds, the vendor cloud — and what we could actually see.

    Read
  6. Chapter 05

    Becoming the middle

    We had to listen to a protocol we couldn't see. So we sat between the handheld and everything it talked to.

    Read
  7. Chapter 06

    What the packets said

    Wireshark on the laptop, TLS pinning on the cloud side, plaintext TCP on the LAN side, and base64 JSON in a custom envelope.

    Read
  8. Chapter 07

    Three problems

    Cloud auth we couldn't see, PoS credentials we didn't have, and a query language nobody wrote down.

    Read
  9. Chapter 08

    APK over EXE

    Two clients spoke the same protocol. We picked the easier one to decompile.

    Read
  10. Chapter 09

    What fell out of the APK

    We stripped the handheld APK, converted its bytecode, and read what the obfuscator forgot to hide — delimiter bytes, a TCP target, and a message builder.

    Read
  11. Chapter 10

    The protocol

    Delimiter bytes, opcodes, and base64 JSON in certain fields — the reverse-engineered query language, stated plainly.

    Read
  12. Chapter 11

    The agent

    FastAPI in Python: a TokenManager that persists a working session, a TCP client that speaks the protocol, and a REST facade over Tailscale.

    Read
  13. Chapter 12

    What it proved

    A PoS with no public API now drives WhatsApp-native checkout in a real restaurant, every night. What that is and is not evidence of.

    Read