Partial reverse-engineering the NDP 2016 LED Wristband
-
Upload
yeokm1 -
Category
Technology
-
view
960 -
download
1
Transcript of Partial reverse-engineering the NDP 2016 LED Wristband
![Page 1: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/1.jpg)
1
Partial reverse-engineering of the
NDP 2016 LED Wristband
Hackware v2.1 (31 Aug 2016)By: Yeo Kheng Meng ([email protected])
https://github.com/yeokm1/reverse-engineering-ndp2016-wristbandhttp://yeokhengmeng.com/2016/08/partial-reverse-engineering-the-ndp-2016-led-wristband/
![Page 2: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/2.jpg)
2
Background• Singapore gained independence on 9 August 1965• 51st National Day Parade (NDP) on 9 August 2016• NDP 2016 held at National Stadium for $39.4 mil
http://www.straitstimes.com/singapore/ndp-goodie-bag-packs-futuristic-feelLED WristbandGoodie bag contents
![Page 3: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/3.jpg)
3
Wristband in action• Preview 2 on 30 July 2016• Colour theme for each segment • Band blinks the colour required• Blinks red when shaken post-event
Wristband blinkinghttps://www.youtube.com/watch?v=EPwxPJhlR4M
Wristband colour changehttps://www.youtube.com/watch?v=XepiuPZ2TzA
![Page 4: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/4.jpg)
4
Research • Band manufactured by Pixmob: http://pixmob.com/
1. Professional (1500 to 150000 attendees) runs on infrared2. Spark (Up to 1500 attendees) runs on Bluetooth Low Energy
![Page 5: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/5.jpg)
5
Teardown
FrontIR1: Infrared ReceiverLED1: RGB LEDIC1: Atmel AT24C02S 2KB, 2-Wire Serial EEPROM (SOT23-5 package)IC2: Abov 81F4204R 8-bit microcontroller (MCU) with 4KB ROM and 192B RAM (TSSOP16 package)
BackSingle-axis accelerometerCR2032 battery holder
![Page 6: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/6.jpg)
6
Hardware Reverse Engineering• With my Fluke 87 V
![Page 7: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/7.jpg)
7
Reverse-engineered schematic
• Programming Pads SDATA, SCK
• Purpose of R2 and R6?
• AT24C02S EEPROM uses I²C bus• MCU does not have hardware I²C• Pixmob engineers probably bit-bang GPIO
• AT24C02S’s WP pin shorted to GND• Write-protection disabledParts
Single-axis accelerometerCR2032 battery holderIR1: Infrared ReceiverLED1: RGB LEDIC1: Atmel AT24C02S 2KB, 2-Wire Serial EEPROM (SOT23-5 package)IC2: Abov 81F4204R 8-bit microcontroller (MCU) with 4KB ROM and 192B RAM (TSSOP16 package)
![Page 8: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/8.jpg)
8
Reverse Engineering approaches1. Aim TV remotes at it2. Dump and analyse the assembly code to derive the IR combinations3. Brute force the IR code combination
![Page 9: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/9.jpg)
9
(Failed attempt to) Brute force IR Protocol
• IR Brute Forcer• Microview • ATmega328p• OLED screen
• IR LED• Photocell
![Page 10: Partial reverse-engineering the NDP 2016 LED Wristband](https://reader033.fdocuments.in/reader033/viewer/2022042723/587a21361a28abb4238b79cd/html5/thumbnails/10.jpg)
10
Potential Work• Dump the ROM• Get IR Protocol from Pixmob