Secure validator platforms.
A validator is the single most security-critical piece of hardware an operator deploys at scale. We design validator platforms that hold up to physical tamper, environmental stress, and the operational reality of fleets of thousands of unattended units.
Design principles
SAM-protected by default
Issuer keys live in a SAM AV2 / AV3, never in firmware. Field-replaceable; one tampered validator does not compromise the fleet.
Tamper-evident enclosure
Housing fits anti-tamper switches, conformal-coated PCBs, sealed connectors. Detached → audit log entry.
Signed firmware
Boot ROM verifies signed firmware images. Anti-rollback counter prevents downgrade attacks.
Buffered, signed receipts
SAM-signed transaction receipts buffered on tamper-evident storage. Lost-power tolerant; lost-network tolerant.
Latency-bounded crypto
Tap-to-decision design budget < 300 ms even with mutual auth + TMAC + audit write. See the closed-loop center.
Field-serviceable
SAM, RF antenna, and data-storage modules are FRUs. A field tech swaps in 5 minutes; a depot tech in 30 seconds.
Form factors
Three live in production: gate / turnstile, on-vehicle, handheld. Same trust chain — the only thing that differs is depot-sync cadence and power profile. Detail in the Card ↔ Reader ↔ SAM deep-dive.
Designing a validator platform?
From PCB to firmware to SAM personalisation, the Ambimat team has shipped each layer. Forty years of embedded; a decade of secure validators.