|
|
|
|
|
|
by dutch_scrambler
1221 days ago
|
|
|
Ah, I vaguely remember those old price tags as it's been such a long time. To sniff their RF traffic best use another CC2510 and TI's own packet sniffer app. Their RF protocol is an extension of the default one from TI's application notes for the CC2510 so it's pretty easy to read out. The AES key extraction would be useless, as it's using CBC and a unique per-device IV and NONCE is used, that's random, so if you crack one then it's just that once, you won't be able to alter the prices of the entire shop to your desire. There's nothing too special in the firmware, just a state machine that's sleeping most of the time to save power, and wakes up the device at regular interval in its own designated time slot to listen to the radio briefly if the base station is trying to address it, then receives the pricetag image via radio and copies it to the flash and updates the screen if needed, then goes back to sleep. IIRC, the time slots are, from 0 to 255, with 256 being the broadcast address, and the last HEX byte in the serial number sticker is also its timeslot number. The only juicy part in the FW, if you can find it, would be the waveform for the e-ink display, as those are e-ink confidential most of the time for some bizarre reason. It's not like there are no waveforms already on the internet for displays like that, but e-ink likes to keep the really good waveforms for themselves and their best customers. Thanks for the trip down memory lane. Good times. |
|
|
Any real evidence for this?