|
|
|
|
|
|
by redfast00
1221 days ago
|
|
|
The idea is indeed to communicate with the tags with their stock firmware (not necessarily using another CC2510, since these aren't made anymore, but that's a possibility). AES is symmetric cryptography, so that should be possible to extract from the firmware. The tags also show a QR code when the aren't initialized yet, this is likely the setup key. I also read that even if tags are already initialized, it's still possible to reset them with some kind of PUK (not sure how to get that PUK though) I couldn't find a datasheet for the e-paper screen, so even if re-implementing communication with stock firmware proves to be infeasible, I'll still need the dumped firmware to figure out how the e-paper screen is controlled. |
|
|
There's nothing too special in the firmware, just a state machine that's sleeping most of the time to save power, and wakes up the device at regular interval in its own designated time slot to listen to the radio briefly if the base station is trying to address it, then receives the pricetag image via radio and copies it to the flash and updates the screen if needed, then goes back to sleep. IIRC, the time slots are, from 0 to 255, with 256 being the broadcast address, and the last HEX byte in the serial number sticker is also its timeslot number.
The only juicy part in the FW, if you can find it, would be the waveform for the e-ink display, as those are e-ink confidential most of the time for some bizarre reason. It's not like there are no waveforms already on the internet for displays like that, but e-ink likes to keep the really good waveforms for themselves and their best customers.
Thanks for the trip down memory lane. Good times.