PAYGSolarSHSToken LockingAES-128Mobile MoneyM-PesaOEM

PAYG Solar Token-Based Locking: Hardware, Encryption & Mobile Money Integration Guide

19 min readJuly 2026

Introduction: The $127 Billion Market That Runs on Tokens

Across sub-Saharan Africa, over 600 million people lack access to grid electricity. The off-grid solar home system (SHS) market is projected to reach $127 billion by 2030 — not despite the absence of traditional banking infrastructure, but because of an innovation that bypasses it entirely: Pay-As-You-Go token-based locking. The PAYG model works like this: a customer in rural Kenya pays 50 KES ($0.35) via M-Pesa on their feature phone. Within seconds, they receive an SMS containing a 12-digit numeric token. They enter this token on the physical keypad of their S80 solar home system. The onboard microcontroller validates the token cryptographically and activates the system for another 24 hours. No internet connection is required at the SHS unit. No bank account. No credit check. No smartphone. Just a feature phone, a mobile money account, and a 12-digit code. For energy access distributors, this model eliminates credit default risk entirely — the hardware enforces payment compliance. For OEMs and brands entering the off-grid solar market, the PAYG token-locking controller is the single most critical subsystem in the product. Get it wrong, and your fleet of 50,000 deployed units becomes a $2.5 million write-off. Get it right, and you unlock a recurring-revenue business model with 90%+ collection rates and customer lifetime values exceeding $400 over 36 months. This guide covers the complete architecture of a production-grade PAYG token-locking system — from AES-128 hardware encryption and anti-tamper MCU design to mobile money API integration and distributor fleet management.

1. The Token Lifecycle: From Mobile Money Payment to Hardware Unlock

Understanding the end-to-end token lifecycle is essential before diving into the hardware and software architecture. Step 1 — Payment: the end customer initiates a mobile money payment via USSD or a mobile app. The payment is processed by the mobile network operator's (MNO) mobile money platform — M-Pesa (Safaricom/Vodacom) in East Africa, MTN Mobile Money in West Africa, Airtel Money across 14 African countries, or bKash in Bangladesh. Step 2 — Token Generation: the distributor's cloud platform receives a payment confirmation webhook from the MNO's API. The platform generates a unique activation token using AES-128 encryption with: the device's unique serial number (provisioned at the factory and stored in write-once memory), the activation duration in hours (24, 168, 720, or 2,160 for daily, weekly, monthly, or quarterly plans), a timestamp validity window (typically ±12 hours to account for SMS delivery delays), and a cryptographic checksum to detect transmission errors. Step 3 — Token Delivery: the token is delivered to the customer via SMS using the MNO's bulk SMS gateway or an aggregator like Africa's Talking or Twilio. Step 4 — Token Entry: the customer enters the token on the SHS unit's physical keypad. Step 5 — Offline Validation: the onboard MCU decrypts the token using the same AES-128 key (stored in secure hardware — never in firmware flash), verifies the serial number, checks the timestamp validity window, and activates the system for the purchased duration. Step 6 — Expiry: when the purchased time elapses, the MCU disconnects the battery output via a hardware MOSFET switch. The system is physically disabled until a new valid token is entered. This entire cycle — payment to unlock — can complete in under 30 seconds from the customer's perspective. The critical engineering insight is that validation occurs entirely offline on the SHS unit. The device does not need cellular connectivity, Wi-Fi, or any network access to validate a token. This is what makes the system viable in remote off-grid locations where cellular coverage is intermittent or nonexistent. [Explore our PAYG-enabled S80 solar home system with integrated hardware token controller](https://szsxsaw.com/products/shs-energy/s80-payg-solar-system).

2. AES-128 Hardware Encryption: The Silicon Foundation of Trust

The cryptographic core of a PAYG token-locking system is AES-128 — the Advanced Encryption Standard with a 128-bit key length. AES-128 is chosen over AES-256 not for weaker security but for a pragmatic reason: the 10-round AES-128 algorithm can be executed on a low-power ARM Cortex-M0 MCU in under 500 microseconds at 48 MHz, consuming approximately 0.5 μA·h per operation from a 3.7 V battery. AES-256's 14 rounds would consume 40% more energy per operation — a meaningful difference for a system that may perform dozens of token validations on a single battery charge. The AES-128 key is generated at the factory using a hardware true random number generator (TRNG) integrated into the MCU's secure element. The key is written once to a dedicated EEPROM page with hardware write-protect fuses blown after programming — making it physically impossible to extract or modify the key through any software or JTAG/SWD debug interface. When the customer enters a 12-digit token, the MCU: converts the token from decimal to binary, decrypts it using the AES-128 engine in Electronic Codebook (ECB) mode, verifies that the decrypted serial number matches the device's own serial, checks the activation duration and timestamp window, and if valid, writes the new expiry time to the real-time clock (RTC) alarm register and re-enables the battery output MOSFET. At no point is the AES key transferred off the device, stored in firmware, or accessible through any debug interface. Even if an attacker physically desolders the MCU and attempts to extract the firmware via invasive techniques, the key is stored in a separate secure EEPROM page that is not readable through the MCU's memory map — the AES engine accesses it directly through a dedicated hardware bus. For fleet operators managing tens of thousands of SHS units, the token-generation server generates tokens using the same AES-128 key, indexed by device serial number. The server-side key database is stored in a Hardware Security Module (HSM) or a cloud-based key management service (AWS KMS, Azure Key Vault). Key rotation is supported: the MCU firmware can store up to four keys (active, next, and two deprecated) to allow seamless key rotation across a deployed fleet without interrupting service. [Request the full PAYG security architecture whitepaper and key management documentation](https://szsxsaw.com/contact).

3. Anti-Tamper Hardware Design: Making Physical Attacks Impractical

A deployed SHS unit in the field is physically accessible to the customer 24 hours a day. This creates an obvious attack vector: if a customer can bypass the token-locking mechanism, they get free electricity indefinitely. The anti-tamper design must make bypassing the hardware lock more expensive and technically difficult than simply paying for the service. The primary tamper-resistance layers include: Debug Interface Fuse Blowing — the MCU's JTAG and SWD debug interfaces are permanently disabled after factory programming by blowing the hardware security fuses. Once blown, these fuses cannot be restored. The MCU can still be programmed via the bootloader, but the bootloader requires a signed firmware image verified against a public key stored in write-once memory. Enclosure Tamper Detection — the SHS enclosure includes a mechanical tamper switch connected to a dedicated MCU GPIO pin with an internal pull-up. If the enclosure is opened, the switch opens, the GPIO pin goes high, and the MCU immediately: disconnects the battery output, writes a tamper event to the EEPROM log, and requires a special reset-tamper token from the distributor's platform (not the customer's regular payment token) to re-enable the system. This makes physical tampering detectable and auditable — the distributor knows exactly which units have been tampered with and when. MOSFET Output Disconnect — the battery output MOSFET is a normally-off N-channel device in a high-side configuration, driven by a dedicated gate driver with an enable line controlled by a GPIO pin. If the MCU is removed from the PCB, the GPIO pin floats and the gate driver defaults to off. Shorting the MOSFET drain and source is possible but requires soldering skill and access to the internal PCB — both of which are detectable during the next maintenance visit. Secure Boot with Signed Firmware — the MCU bootloader verifies the cryptographic signature of the application firmware against the manufacturer's public key before executing it. Any modified firmware will fail signature verification, and the MCU will refuse to boot. This prevents attackers from flashing custom firmware that skips the token validation routine. At Shengxin, our S80 PAYG solar system implements all four tamper-resistance layers as standard. For OEM customers requiring enhanced security for high-risk deployment regions, we offer a variant with an epoxy-potted PCB (filling the entire enclosure interior with a hardened epoxy that makes physical access to the PCB destructive to the components). [Discuss your anti-tamper requirements with our engineering team](https://szsxsaw.com/contact).

4. Mobile Money Integration: Connecting Hardware to Africa's Payment Rails

The hardware token-locking mechanism is only half the system. The other half is the cloud platform that accepts mobile money payments and generates tokens. For a distributor deploying PAYG SHS units in 10 African countries, this platform must integrate with at least 15 different mobile money APIs — each with its own authentication method, webhook format, and reconciliation process. The major mobile money APIs and their integration patterns are: M-Pesa (Safaricom, Kenya / Vodacom, Tanzania) — the dominant platform in East Africa with 50+ million active users. M-Pesa provides a REST API (Daraja) for: C2B (Customer-to-Business) payment initiation via STK Push — the platform sends a USSD prompt to the customer's phone requesting payment confirmation, B2C (Business-to-Customer) for refunds, and account balance and transaction status queries. The STK Push flow is: distributor's platform → M-Pesa API → customer's phone displays a USSD prompt → customer enters PIN → M-Pesa debits account → sends webhook confirmation to distributor's platform → token generated and delivered via SMS. MTN Mobile Money (MTN Group, 15+ African countries) — provides a REST API (MoMo API) with OAuth 2.0 authentication. The API covers: collection (request payment from customer), disbursement (send money to customer), and account inquiry. The OAuth flow requires: creating an API user, generating an API key, and obtaining a bearer token with a 1-hour expiry. Airtel Money (Airtel Africa, 14 countries) — provides a SOAP-based API with HTTP Basic Authentication. Supports: bill payments, merchant payments, and airtime top-up. Integration typically requires an aggregator middleware such as Africa's Talking, Beyonic, or Hubtel to normalise the API differences across MNOs. For a PAYG distributor, the recommended architecture is to implement a single payment abstraction layer that accepts a standardised internal payment request format and maps it to the appropriate MNO-specific API call based on the customer's registered mobile money provider. This abstraction layer handles: MNO-specific authentication, API call formatting, retry logic for network timeouts (exponential backoff with a maximum of 3 retries), idempotency (the same payment request must not generate two tokens), and reconciliation (matching payment webhooks to token generation records for financial auditing). Shengxin provides a reference implementation of this payment abstraction layer as part of the S80 OEM programme. For distributors who already operate their own payment platform, we provide the token-generation API specification and client SDK in Python, Node.js, and Java — enabling you to integrate token generation into your existing payment flow within a single engineering sprint. [Request the PAYG platform API documentation and SDK](https://szsxsaw.com/contact).

5. Fleet Management at Scale: Managing 50,000 Units from a Dashboard

A PAYG SHS distributor with 50,000 deployed units needs to monitor the status of every unit in near real-time, identify units approaching token expiry, detect tamper events, and generate financial reports for investors and MNO partners. The fleet management platform must provide: Unit Status Monitoring — for each deployed unit, the platform tracks: current activation status (active, expired, tampered), remaining activation time (hours until expiry), last token entered (timestamp and token ID), total activation time purchased (life-to-date), and tamper event log. For units with optional cellular modules (4G Cat-M1 or NB-IoT), this data is uploaded in real time. For offline-only units, the data is buffered on the device and uploaded when the unit is connected during a maintenance visit. Payment Reconciliation — every token generated is linked to a specific payment transaction and a specific device serial number. The platform produces daily reconciliation reports showing: total payments received, total tokens generated, tokens not yet entered by customers (indicating SMS delivery failure or customer confusion), and devices approaching expiry with no recent payment (churn risk). Geospatial Analytics — for units with GPS or cellular-based geolocation, the platform maps the deployment on a GIS dashboard, colour-coded by activation status. This enables the distributor to: identify geographic clusters of expiring units for targeted field-agent visits, plan optimal routes for maintenance crews, and detect units that have been moved from their registered location (potential theft or unauthorised resale). Shengxin's S80 PAYG platform is available as a white-label SaaS solution for distributors who want to go to market immediately, or as an on-premise deployment for larger energy-access companies with existing IT infrastructure. The platform supports API-based integration with any mobile money provider and includes the token-generation engine, fleet dashboard, and financial reporting module. [Schedule a demo of the S80 PAYG fleet management platform](https://szsxsaw.com/contact).

6. The OEM Path: Launching Your Branded PAYG Solar Product in 90 Days

For brands and distributors entering the PAYG solar market, the fastest path to market is a white-label OEM partnership with an experienced hardware manufacturer. With Shengxin, the programme follows four phases. Phase 1 — Product Selection and Token Engine Configuration (2–3 weeks): select the S80 as your hardware platform. We configure the token engine with your branding — your company name in the SMS template, your customer support number, your payment platform URL. We deliver 10 engineering samples pre-loaded with your branded token engine firmware, plus the complete security documentation package (AES-128 key management guide, anti-tamper verification report, token-generation API specification). Phase 2 — Mobile Money Integration and Pilot (4–6 weeks): our engineering team integrates the token-generation API with your chosen mobile money provider(s). For a single MNO integration (e.g., M-Pesa only), this typically requires 2–3 weeks of development and testing. We support the integration sprint with: API sandbox access, pre-configured webhook endpoints, test tokens for end-to-end validation, and load-testing at simulated volumes of 10,000 transactions per hour. You deploy 100–500 branded pilot units to your target market. Phase 3 — Mass Production (4–6 weeks lead time): 1,000–10,000+ units per month from dedicated production lines at our Jinan PCBA facility. Every unit undergoes: token-generation and validation testing with 50 random tokens, keypad functional test (all 12 buttons, 10,000 actuations), tamper-detection circuit verification, and 48-hour burn-in with automated token cycling. Phase 4 — Ongoing Support: firmware updates, security patches, new MNO integration, and next-generation hardware co-development. Throughout the programme, you have a single dedicated project engineer as your point of contact. We do not hand you off to a general support queue after the pilot phase. [Begin your S80 PAYG white-label OEM qualification](https://szsxsaw.com/contact). [Browse our complete SHS energy product line](https://szsxsaw.com/products/shs-energy).

Conclusion: The Token Is the Business Model

In the off-grid solar industry, the hardware — the solar panel, the battery, the inverter — is a commodity. Any manufacturer can source a Grade A LiFePO4 cell and a pure sine wave inverter. The defensible competitive advantage is the PAYG token-locking system. It is the component that converts a one-time hardware sale into a 36-month recurring revenue stream. It is the component that eliminates credit default risk — the hardware, not a collections agent, enforces payment compliance. It is the component that makes a $120 SHS unit financeable at $5 per month, transforming an unaffordable upfront purchase into a manageable recurrent expense for a rural household earning $3 per day. At Shengxin, we have been manufacturing PAYG-enabled solar hardware since 2019. Our AES-128 token engine has processed over 12 million token validations in the field — with a validation failure rate below 0.02%. Our S80 PAYG solar system is pre-integrated with the major African mobile money platforms, ships with a white-label SaaS fleet management dashboard, and is backed by five production bases and a dedicated OEM engineering team. You bring the distribution network and the customer relationships. We bring the token engine, the hardware, and the manufacturing scale. [Request the S80 PAYG OEM partnership proposal and begin your qualification process](https://szsxsaw.com/contact).

Questions about this topic? Contact our engineering team.

Contact Engineering