$$\ $$\ $$$$$$\ $$$$$$$$\ $$$$$$$$\ $$$$$$\
$$$\ $$ |$$ __$$\\__$$ __|$$ _____|$$ __$$\
$$$$\ $$ |$$ / $$ | $$ | $$ | $$ / \__|
$$ $$\$$ |$$ | $$ | $$ | $$$$$\ \$$$$$$\
$$ \$$$$ |$$ | $$ | $$ | $$ __| \____$$\
$$ |\$$$ |$$ | $$ | $$ | $$ | $$\ $$ |
$$ | \$$ | $$$$$$ | $$ | $$$$$$$$\ \$$$$$$ |
\__| \__| \______/ \__| \________| \______/
-------------------------------------------------------------------
HOME | TOR | GITHUB | MASTODON | NOTES | ABOUT | CONTACT | LOGIN
-------------------------------------------------------------------
+--------------------+-------------+---------------------+------+---------+-----+
| TOUCHTUNES_JUKEBOX | KESTREL_BLE | CHEMION_LED_GLASSES | MATH | IRIDIUM | LTE |
++---------------------------+-----------------+-----------------+-------------++
| DUMPING_NRF51822_FIRMWARE | YAESU_VX-7R_RPi | UNIPAGER POCSAG | MMDVM_GM300 |
+---------------------------+-----------------+-----------------+-------------+
████████╗ ██████╗ ██╗ ██╗ ██████╗██╗ ██╗████████╗██╗ ██╗███╗ ██╗███████╗███████╗
╚══██╔══╝██╔═══██╗██║ ██║██╔════╝██║ ██║╚══██╔══╝██║ ██║████╗ ██║██╔════╝██╔════╝
██║ ██║ ██║██║ ██║██║ ███████║ ██║ ██║ ██║██╔██╗ ██║█████╗ ███████╗
██║ ██║ ██║██║ ██║██║ ██╔══██║ ██║ ██║ ██║██║╚██╗██║██╔══╝ ╚════██║
██║ ╚██████╔╝╚██████╔╝╚██████╗██║ ██║ ██║ ╚██████╔╝██║ ╚████║███████╗███████║
╚═╝ ╚═════╝ ╚═════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝╚══════╝╚══════╝
██╗██╗ ██╗██╗ ██╗███████╗██████╗ ██████╗ ██╗ ██╗
██║██║ ██║██║ ██╔╝██╔════╝██╔══██╗██╔═══██╗╚██╗██╔╝
██║██║ ██║█████╔╝ █████╗ ██████╔╝██║ ██║ ╚███╔╝
██ ██║██║ ██║██╔═██╗ ██╔══╝ ██╔══██╗██║ ██║ ██╔██╗
╚█████╔╝╚██████╔╝██║ ██╗███████╗██████╔╝╚██████╔╝██╔╝ ██╗
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═════╝ ╚═╝ ╚═╝
//=====< 2019-11-21T08:58:58+00:00 >==============================================\\
|| ||
|| Hi again! ||
|| ||
|| I'm not a big fan of writing blogs so I figure shearing my notes on ||
|| what I've been working on be a good compromise. Below is the story of ||
|| the first cool thing I've done with a radio. :3 ||
|| ||
|| When I used to go to bars, I always thought to myself how neat it would ||
|| be to just play music from the Jukebox for free. You know? like 'The Fonz' ||
|| from the 70's sitcom 'Happy Days'? My target was an IOT jukebox made by ||
|| TouchTunes®️ and they where popular in the Seattle area. After reading up ||
|| on some of their manuals, I learned that they used a wireless remote that ||
|| TXed on 433.92MHz. Promotional credits where another feature I found that ||
|| could be exploited with the remote. Armed with that knologe, I bought ||
|| myself a remote from eBay for about $40. ||
|| ||
|| Having never done this before, I Youtubed everything I could on reversing ||
|| wireless protocols. I realy owe thanks for the foaks at Hak5 and Michael ||
|| Osman from GSG for spending the time to create detailed videos on the ||
|| the topic. Using a HackRF and the program inspectrum I was able to learn ||
|| enough about the wireless remote to program a Yard Stick One to stream ||
|| line the process. The next step was to the record all the messages and ||
|| compare them with each other. ||
|| ||
|| TL;DR, when I first looked at this protocol, I only knew the modulation ||
|| type (ASK/OOK), the symbol rate (1766), preamble (0xFFFF00), and the ||
|| encoded sync word. Not knowing what the encoding method was I recorded ||
|| every possable message from pin 000 to 255, created three ugly look up ||
|| tables, and used a little Python hackery to make it work! And it did! ||
|| ||
|| About a year later, a VERRY talented person (Furrtek) ported my work ||
|| over to his portapack firmware fork, Havoc. I didn't figure this out ||
|| untill I updated my portapack with his firmware. TBH I was a bit tickled ||
|| to see a TX option for TouchTunes®️ at the bottom. definitely a feel good ||
|| moment! :D ||
|| ||
|| So not only did he port my work, he also figured out the encoding schema ||
|| from my hacked together code. It turned out to be NEC which is an IR ||
|| protocol used for TV remotes. NEC is simple, 1's are encoded to (1 0 0 0) ||
|| which for OOK is (ON OFF OFF OFF) per the symbol rate and 0's are just ||
|| (1 0) or (ON OFF). NEC isn't something wireless engineers go out of their ||
|| way to use for a fire and forget application but there it was. :D ||
|| ||
|| With a better understanding of how the TouchTunes®️ remotes worked, I ||
|| updated my code to encode and decode the NEC protocol. I also added a few ||
|| other 'features' such as a brute forcing method where it runs a command ||
|| from pin 000 to 255 and an Electronic Warfare (EW) mode. EW is DOD speak ||
|| for jamming when you want to jam and not jamming when you don't want to ||
|| jam... Clear as mud? If not read the sorce code because it's unlawful AF! ||
|| Only use EW mode for testing and in a closed RF environment! ||
|| ||
|| --> Test Environment: IMG ||
|| --> FFT: IMG ||
|| ||
|| SO! if you're interested in poking some jukeboxs feel free and check out ||
|| 'The-Fonz' project for the Yard Stick One. Furrtek also ported this over ||
|| to the portapack with the Havor firmware. Also, I wrote an app for the ||
|| goodwatch project so this research is now supported on three platforms! ||
|| :D ||
|| ||
|| --> The-Fonz: https://github.com/notpike/The-Fonz ||
|| --> Havoc: https://github.com/furrtek/portapack-havoc ||
|| --> Mayhem: https://github.com/eried/portapack-mayhem ||
|| --> goodwatch: https://github.com/travisgoodspeed/goodwatch ||
|| ||
|| ||
|| ====================================================================== ||
|| ||
|| ||
|| Below is all the technical data regarding the remote... ||
|| ||
|| * FCC ID: 2AHXI-T1 ||
|| * FCC Info: https://fccid.io/2AHXI-T1 ||
|| * Frequency: 433.92MHz ||
|| * Modulation: ASK/OOK ||
|| * Protocol: NEC ||
|| * Symbol Rate: 1766 ||
|| * Symbol Period: 566us ||
|| ||
|| ==NEC Format== ||
|| * Short(0): 10 (ON OFF) ||
|| * Long (1): 1000 (ON OFF OFF OFF) ||
|| ||
|| * Structure: {PREAMBLE} {SYNC} {PIN} {COMMAND} {TAIL} ||
|| * Preamble (Literal Symbols): 0xFFFF00 ||
|| * Sync (Decoded NEC): 0x5D ||
|| * PIN 000-255 (Decoded NEC): 0x00-0xFF (LSB) ||
|| * Tail (Literal Symbols): 0x8 ||
|| ||
|| * Commands: ||
|| * Note: Commands are doubled with the 2nd half being reversed. ||
|| For example, Pause 0x32 will translate to 0x3223 before ||
|| being encoded to the literal symbols. \xA8\x8A\x8A\xA2\xA8\x80 ||
|| ||
|| 0x32, // Pause ||
|| 0x78, // On/Off ||
|| 0x70, // P1 ||
|| 0x60, // P2 Edit Queue ||
|| 0xCA, // P3 Skip ||
|| 0x20, // F1 Restart ||
|| 0xF2, // Up ||
|| 0xA0, // F2 Key ||
|| 0x84, // Left ||
|| 0x44, // OK ||
|| 0xC4, // Right ||
|| 0x30, // F3 Mic A Mute ||
|| 0x80, // Down ||
|| 0xB0, // F4 Mic B Mute ||
|| 0xF0, // 1 ||
|| 0x08, // 2 ||
|| 0x88, // 3 ||
|| 0x48, // 4 ||
|| 0xC8, // 5 ||
|| 0x28, // 6 ||
|| 0xA8, // 7 ||
|| 0x68, // 8 ||
|| 0xE8, // 9 ||
|| 0x18, // * Music_Karaoke ||
|| 0x98, // 0 ||
|| 0x58, // # Lock_Queue ||
|| 0xD0, // Zone 1 Vol+ ||
|| 0x90, // Zone 2 Vol+ ||
|| 0xC0, // Zone 3 Vol+ ||
|| 0x50, // Zone 1 Vol- ||
|| 0x10, // Zone 2 Vol- ||
|| 0x40, // Zone 3 Vol- ||
|| ||
|| ==Example== ||
|| * Command: Pin 000 - On/Off ||
|| * Literal Symbols HEX: ffff00 a2888a2 aaaa 8888aa2aa2220 ||
|| * Literal Symbols BIN: 11111111111111110000 10 1000 10 1000 1000 1000 ||
|| 10 1000 10 10 10 10 10 10 10 10 10 1000 1000 ||
|| 1000 1000 10 10 10 1000 10 10 10 10 1000 1000 ||
|| 1000 100000 ||
|| ||
|| * Decoded Symbols: PREAMBLE S L S L L L S L ||
|| S S S S S S S S S L L L L ||
|| S S S L S S S S L L L TAIL ||
|| ||
|| ||
|| -- NotPike ||
|| ||
\\================================================================================//
\
\ ^__^
\ (><)\_______
(__)\ )\/\
||----w |
|| ||