Post AztDU9JVzxdRbeaYpU by timjclevenger@infosec.exchange
(DIR) More posts by timjclevenger@infosec.exchange
(DIR) Post #Azt4Cb8iu8C76h64pM by foone@digipres.club
2025-11-04T01:56:40Z
0 likes, 1 repeats
California uses a radio-tag system called FasTrak for vehicles, and recently they sent me a new tag. So naturally I had to open up the old tag, right?
(DIR) Post #Azt4JGXTtaObF4rBFw by SvenGeier@mathstodon.xyz
2025-11-04T01:57:50Z
0 likes, 0 repeats
@fooneWho wouldn't?
(DIR) Post #Azt4N85nF2qsChkSQ4 by ElsaPreme@chaosfem.tw
2025-11-04T01:58:14Z
0 likes, 0 repeats
@fooneOh I want to see this. I have one too.
(DIR) Post #Azt4XZ2HvBU4fC5IHY by cynthiarose@sfba.social
2025-11-04T02:00:25Z
0 likes, 0 repeats
@foone you are duty bound to tell the Bay Area what you find!!!
(DIR) Post #Azt4avMLNb7Ild4FQ8 by foone@digipres.club
2025-11-04T02:01:08Z
0 likes, 1 repeats
This is the closest I was able to get to a non-blurry picture.It's not super complicated inside: Two main big components, a battery (non-rechargable lithium!) and a switch. The antenna is built into the PCB itself.
(DIR) Post #Azt4oSwVpRZEglRTmK by foone@digipres.club
2025-11-04T02:03:33Z
0 likes, 0 repeats
It's officially called a T21 Internal Tag Fixed Battery Switchable(some models don't have the switch) part number R2916-219
(DIR) Post #Azt4zDUDdSFrwAKnmS by futurebird@sauropods.win
2025-11-04T02:05:52Z
0 likes, 0 repeats
@foone I know what most of that is... but what is the EAST SFM 1640A package?Piezo Transducer?What is this for? Does it detect the car running? Something at the toll booth?https://www.multicomponent.se/wp-content/uploads/SFM-1640A.pdf
(DIR) Post #Azt5BN4PpRd18U3qF6 by Argonel@dice.camp
2025-11-04T02:07:39Z
0 likes, 0 repeats
@foone with the way that is labeled I wonder if that is the second design, or the production release of the 22nd version. Having both rev and v2 makes me wonder.
(DIR) Post #Azt5QhjNIMrhYcWxyi by futurebird@sauropods.win
2025-11-04T02:10:49Z
0 likes, 0 repeats
@amd @foone I suppose that makes more sense.
(DIR) Post #Azt5QmTxd6VSIGME9A by foone@digipres.club
2025-11-04T02:10:29Z
0 likes, 0 repeats
This thing in the corner under the designation BP1 is an SFM-1640A by East Electronics, an SMD External-driveen Piezo Transducer.This thing beeps when you change the number of occupants or (sometimes) when it gets scanned.
(DIR) Post #Azt5cGkZR0qnLxbXt2 by foone@digipres.club
2025-11-04T02:12:34Z
0 likes, 0 repeats
And the microcontroller is a TI MSP430F2121 Mixed Signal Microcontroller.
(DIR) Post #Azt5kOYcI8kxspt7E8 by foone@digipres.club
2025-11-04T02:14:01Z
0 likes, 0 repeats
Datasheet says this runs at 1.8v to 3.6v, and ultra-low power consumption: 250 µA at 1mhz, 2.2v, 0.7 µA on standby, and 0.1µA when off (with RAM retention)
(DIR) Post #Azt5qkIcMu4D3JQtzU by foone@digipres.club
2025-11-04T02:15:08Z
0 likes, 0 repeats
It's a 16-bit RISC architecture, 256 bytes of RAM, 4K +256B of flash memory
(DIR) Post #Azt6J6bX23lkL3npXk by fwaggle@moodoo.org
2025-11-04T02:20:12Z
0 likes, 0 repeats
@foone I wonder if they left the JTAG fuse unpopped so you can pull the code off the MSP?
(DIR) Post #Azt6PUgAR4m0k717kO by foone@digipres.club
2025-11-04T02:21:28Z
0 likes, 0 repeats
That battery is the Tadiran TL-4934 Lithium Thionyl Chloride. Nominal capacity of 1 amp-hour.if they're running this thing at 10µA on average this battery will last about 11 years
(DIR) Post #Azt6SEduVzylsLGipc by foone@digipres.club
2025-11-04T02:22:13Z
0 likes, 0 repeats
@futurebird it beeps when you change the number of occupants, and sometimes when you go through a toll booth
(DIR) Post #Azt7dmtVbnvdFDdZEO by MegaMichelle@a2mi.social
2025-11-04T02:35:08Z
0 likes, 0 repeats
@foone Could it be hooked up to a front panel and turned into a minicomputer many times more powerful than the stuff that sold for tens of thousands of dollars in the 70s? That'd be hilarious.
(DIR) Post #Azt7mhZmkbjbMBf7lQ by foone@digipres.club
2025-11-04T02:36:50Z
0 likes, 0 repeats
@MegaMichelle if it's reprogrammable! they may have fused it off
(DIR) Post #Azt7pzrDEqt6vJNvFY by foone@digipres.club
2025-11-04T02:37:21Z
0 likes, 0 repeats
that's all I can tell without being able to photograph it better (I'm doing this while laying down) or do some continuity testing
(DIR) Post #Azt8aFYxB6OixCtpy4 by foone@digipres.club
2025-11-04T02:45:45Z
0 likes, 0 repeats
I can't be sure what mode it's in without examining the registers, but it looks like they gave it a 7.2mhz crystal instead of the expected 32mhz. So the CPU might be running at 3.6mhz instead of the nominal 16mhz
(DIR) Post #Azt8dgOLsvTj20ZsW0 by RueNahcMohr@infosec.exchange
2025-11-04T02:41:16Z
0 likes, 0 repeats
@foone what? dont tell me everyone has to have a tracker in their car...
(DIR) Post #Azt8dhBcvitTUpdEJs by foone@digipres.club
2025-11-04T02:46:18Z
0 likes, 0 repeats
@RueNahcMohr it's optional, but it's used to access carpool lanes and pay for bridge tolls
(DIR) Post #Azt995n9UxBomk9fyy by whitequark@mastodon.social
2025-11-04T02:51:14Z
0 likes, 0 repeats
@foone it doesn't support a 32 MHz crystal
(DIR) Post #Azt996m7qFxjpqgN1M by foone@digipres.club
2025-11-04T02:52:01Z
0 likes, 0 repeats
@whitequark oh right I misread it.
(DIR) Post #Azt9HcCwrNYJdeHjUm by foone@digipres.club
2025-11-04T02:53:37Z
0 likes, 0 repeats
so fun fact the spec for how these work is public:https://web.archive.org/web/20131231125912/http://www.dot.ca.gov/hq/traffops/itsproj/Title_21/Report/Title%2021%20Specification.pdf
(DIR) Post #Azt9LlHn3988x5WjDs by foone@digipres.club
2025-11-04T02:54:24Z
0 likes, 0 repeats
and as I guessed, they're RFID. The reader transmits at them to turn on the tag so it can return an identification signal
(DIR) Post #Azt9SknJHAclSEbVy4 by foone@digipres.club
2025-11-04T02:55:38Z
0 likes, 0 repeats
it says these things wake up if you send them a 33 microsecond RF pulse at 915 Mhz, all ones in manchester encoding
(DIR) Post #Azt9nAqy6Bmm4C3JR2 by foone@digipres.club
2025-11-04T02:59:20Z
0 likes, 0 repeats
so presumably with a SDR you could make this thing identify itself by sending the proper message at it.
(DIR) Post #Azt9spphAKKEbt9kgK by foone@digipres.club
2025-11-04T03:00:15Z
0 likes, 0 repeats
other interesting notes from the pdf:it runs at 300 kbps, which seems awfully fucking fast for a system that is only sending, like, 60-124 byte messages?
(DIR) Post #Azt9yIReDJW8nTVplQ by foone@digipres.club
2025-11-04T03:01:19Z
0 likes, 0 repeats
it also has an "agency code" in there. So the tag can be smart enough to not identify itself if similar tags are being used for some other purpose
(DIR) Post #AztABOpTmv3aMWuKe0 by foone@digipres.club
2025-11-04T03:03:43Z
0 likes, 0 repeats
each transponder has a 32bit code to identify it. which seems low, given that the US already has something like a third of a billion cars. (This is a california-specific tag but they do mention specifically making this standardized so it can be used nationwide)
(DIR) Post #AztAMRaFt4tU5g3LW4 by foone@digipres.club
2025-11-04T03:05:39Z
0 likes, 0 repeats
some more message structure info:https://web.archive.org/web/20131231093328/http://www.dot.ca.gov/hq/traffops/itsproj/Title_21/Report/Title%2021%20Approved%20Record%20Types.pdf
(DIR) Post #AztATMoxzeZ9LXEeVU by foone@digipres.club
2025-11-04T03:06:57Z
0 likes, 0 repeats
oh god, the 32bits is structured, it's not just an ID to some internal Cal DOT database:https://web.archive.org/web/20131231084853/http://www.dot.ca.gov/hq/traffops/itsproj/Title_21/Report/T21CATransponderIDVer17.pdf
(DIR) Post #AztAhcCvaFOb7YEkwi by foone@digipres.club
2025-11-04T03:08:58Z
0 likes, 0 repeats
the first 4 bits are your tag type, based on how many people are in the car. The next 18 bits are the facility number. the state of california has 75001 facilities, each of which can have up to 1024 tags
(DIR) Post #AztAkbRAu5iRbJKFKy by foone@digipres.club
2025-11-04T03:09:34Z
0 likes, 0 repeats
WHAT DO YOU MEAN THEY ASSIGNED A MILLION TRANSPONDER IDS TO A BRIDGE IN CANADA?
(DIR) Post #AztAoKg39vs2mL3t5s by n1vux@mastodon.radio
2025-11-04T03:08:52Z
0 likes, 0 repeats
@foone "All ones manchester" negates the PSK nature of the encoding. Do they mean no keying of the 915MHz carrier, or square-wave modulated at some unstated bitrate?
(DIR) Post #AztAoLpIt0roLKOn9k by foone@digipres.club
2025-11-04T03:10:15Z
0 likes, 0 repeats
@n1vux it's not PSK, it's ASK
(DIR) Post #AztAymxqqL8lPCNFo0 by BRicker@fosstodon.org
2025-11-04T03:12:34Z
0 likes, 0 repeats
@foone @n1vux Manchester Coding is a PSK (= inversion) of the double-clock-speed squarewave ASK of the carrier. It's always weirdness when you get down to baseband signals ...
(DIR) Post #AztB6nDxlEk6Wnj7mS by foone@digipres.club
2025-11-04T03:14:05Z
0 likes, 0 repeats
so the Golden Ears Bridge in Metro Vancouver, British Columbia had electronic tolls from 2009 to 2017, including transponders you could install on your car to auto-pay
(DIR) Post #AztB9dNynRKasplbpQ by foone@digipres.club
2025-11-04T03:14:38Z
0 likes, 0 repeats
this sounds like they cooperated with the california department of transportation and just used the FasTrak system for their toll system
(DIR) Post #AztBX6SuqSobjUGb1k by pyro@mastodon.calitabby.net
2025-11-04T03:18:34Z
0 likes, 0 repeats
@foone how do you always manage to find the strangest facts about electronics that I will never see again, let alone interact withthis is what being in the technological information age does to a mf.
(DIR) Post #AztBhvPEIvYycMhcwK by acsawdey@fosstodon.org
2025-11-04T03:20:46Z
0 likes, 0 repeats
@foone I’m thinking of the 433MHz pulse transmission systems .. the bit rate is pretty high but the signal is extremely short. My weather station on the roof runs for many many years on 4x lithium primary AA cells. At some point you spend more power transmitting the carrier than the bits. There must be an optimal bit rate for minimum power.
(DIR) Post #AztBlNnPCw3ZXJexKi by foone@digipres.club
2025-11-04T03:21:05Z
0 likes, 0 repeats
@pyro you just need to dig. everything is a rabbit hole if you dig deep enough, there's always weirdness going on if you keep looking
(DIR) Post #AztCH3mFAk6MiSDlC4 by foone@digipres.club
2025-11-04T03:27:03Z
0 likes, 0 repeats
ahh, here we go:"Effective January 1, 2019, Caltrans adopted a new protocol known as 6C. The existing Title 21 protocol will continue to be used for seven years after that date, and then be discontinued. The seven-year overlap with the two protocols is intended to give the toll facility operators the necessary time to eliminate their existing inventory of the Title 21 transponders."
(DIR) Post #AztCKNdVnDWDB1ihBQ by foone@digipres.club
2025-11-04T03:27:47Z
0 likes, 0 repeats
so I wonder if this means my transponder is actually 6C, not Title 21? or if this one is title 21, and the new one is 6C?
(DIR) Post #AztCuBqN7AtH1moJRQ by foone@digipres.club
2025-11-04T03:34:11Z
0 likes, 0 repeats
the new protocol is designed to conform to ISO/IEC 18000-63 which'll let it interoperate with other states/nations implementations of automatic vehicle identification
(DIR) Post #AztD03K1i9IeKsTcYq by foone@digipres.club
2025-11-04T03:35:12Z
0 likes, 0 repeats
links for info on the current implementation:https://dot.ca.gov/programs/traffic-operations/electronic-toll
(DIR) Post #AztD43gcIYj8ckxACe by foone@digipres.club
2025-11-04T03:35:40Z
0 likes, 0 repeats
@jordan we've got stickers too, but the stickers don't give you the "flex" functionality where you can adjust how it works based on how many people are in the car
(DIR) Post #AztDIltaj503n62P2m by foone@digipres.club
2025-11-04T03:38:39Z
0 likes, 0 repeats
making them intercompatible is a good idea, imo. the current situation is that the US has 15 separate standards, and two of those are for Michigan
(DIR) Post #AztDNo5lzG843E8XLc by foone@digipres.club
2025-11-04T03:39:31Z
0 likes, 0 repeats
a funding bill in 2012 required that they all be intercompatible by 2016, but that didn't happen. obviousl.y
(DIR) Post #AztDU9JVzxdRbeaYpU by timjclevenger@infosec.exchange
2025-11-04T03:36:14Z
0 likes, 0 repeats
@foone Interesting that North Texas Tollway Authority is a member of the 6C coalition but uses a completely passive (reader-powered) sticker instead of a battery-powered box. I like that the Fastrak boxes beep on read (and can be moved between vehicles) but the NTTA stickers are cheap enough they send them to you for free.
(DIR) Post #AztDUAXNRuJlOw594i by foone@digipres.club
2025-11-04T03:40:22Z
0 likes, 0 repeats
@timjclevenger Fastrak has sticker versions too, they just don't have the "flex" functionality
(DIR) Post #AztDZyOdVBEPU4lFQm by foone@digipres.club
2025-11-04T03:41:32Z
0 likes, 0 repeats
the louisiana version is called "GeauxPass", which I assume is pronounced "GoPass" and not "GooPass". eww
(DIR) Post #AztDhv3PoQBlR1clIe by foone@digipres.club
2025-11-04T03:43:13Z
0 likes, 0 repeats
Anyway these are just the RFID versions. Plenty of places are using versions based on license plate readers, either automatic or manual
(DIR) Post #AztDpQFYE3BuDJsWH2 by foone@digipres.club
2025-11-04T03:44:19Z
0 likes, 0 repeats
oh wait, this one is definitely Title 21! it says as much on the PCB
(DIR) Post #AztDsujpKLkhdlhkS8 by foone@digipres.club
2025-11-04T03:44:41Z
0 likes, 0 repeats
so yeah, my new one must be 6C.I did get two 6C tags, so I could disassemble one... but I think I've misplaced the spare
(DIR) Post #AztF1Q70fCT5DRATw0 by lackthereof@beige.party
2025-11-04T03:57:49Z
0 likes, 0 repeats
@foone I'm trying and trying to figure out what exactly my Washington state "Good to Go" RFID sticker is, and I'm just coming up empty. Which probably means it's some proprietary standard from the toll collection vendor.
(DIR) Post #AztFpyYKt6UiVk3YdU by kinsale42@mstdn.games
2025-11-04T04:06:59Z
0 likes, 0 repeats
@foone reminds me of the nearby apartment complex that rebranded itself "Timbre" with a picture of a tree, and me, a person with a music degree: "I don't think that means what you think it means (or sounds the way you think it sounds)"
(DIR) Post #AztFtC6axL8nPccEAC by foone@digipres.club
2025-11-04T04:07:40Z
0 likes, 0 repeats
@kinsale42 oww
(DIR) Post #AztJfUH90EfrWpGlJw by syntax@furry.engineer
2025-11-04T04:49:52Z
0 likes, 0 repeats
@foone I saw 6C and had to read back through the thread - Long-range RFID, or sometimes called Automatic Vehicle Identification (AVI) is one of my favorite boring things I get to work with. Older "active" tags like your CalTrans are a lot more interesting (I've even seen some with little screens in them showing how much toll you've just paid!) but nowadays a lot of tolling agencies are moving to effectively glorified stickers. It's a super cool technology - the radio field induces a current in a coil of wire, powering the chip, which then modulates its power usage to transmit its ID, so you can read a tag on a car doing highway speeds from 15 feet overhead!
(DIR) Post #AztQCl6e2zId0cbfxQ by epithumia@mstdn.social
2025-11-04T06:03:12Z
0 likes, 0 repeats
@foone French pronunciation of it would be gopass, with a soft g (like the g in danger).
(DIR) Post #AztQlhWlLRBs2rU7No by foone@digipres.club
2025-11-04T06:09:28Z
0 likes, 0 repeats
oh wow. The new one has no battery, and still supports the flex option.
(DIR) Post #AztSo9RAkP6r5rAM8O by alper@sfba.social
2025-11-04T06:32:20Z
0 likes, 0 repeats
@foone passive rides were the earliest type (in Europe at least). They didn't have switches though. Clever
(DIR) Post #AztYRkrW2I5UEHBwwK by pdcawley@mendeddrum.org
2025-11-04T07:35:14Z
0 likes, 0 repeats
@foone How could you not while remaining Foone Turing?
(DIR) Post #AztaEGs8QVvBMQBCCW by henryk@chaos.social
2025-11-04T07:55:25Z
0 likes, 0 repeats
@foone ISO/IEC 18000-63 is passive backscatter UHF, where the tag is energized by a continuous signal from the "reader" and modulates its reflective cross section to send data. It wouldn't be too hard to wire some inputs so that some transmitted bits depend on external state.(I haven't checked the current state, but last I saw this was pure static ID only. Not remotely enough passive power to do any kind of cryptography.)
(DIR) Post #AzuOL1udRLlChPlVom by foone@digipres.club
2025-11-04T17:16:44Z
0 likes, 0 repeats
So here's the new version. It's got a little rotational thing instead of a switch. Much smaller, much thinner, less beepy.
(DIR) Post #AzuOVLvpraztgTFVXk by foone@digipres.club
2025-11-04T17:18:22Z
0 likes, 0 repeats
Inside it's super simple. There's an antenna on the back, and a spring to make the wheel snap to the three numbers
(DIR) Post #AzuOccl7hNP9tqhoxc by foone@digipres.club
2025-11-04T17:19:52Z
0 likes, 0 repeats
Under the wheel, you can see the antenna is two parts, with a gap in the middle.And there's two squares under the wheel.
(DIR) Post #AzuOnRriXcNNIbx3tg by foone@digipres.club
2025-11-04T17:21:56Z
0 likes, 0 repeats
And here's the trick: It's not an RFID tag... it's three RFID tags!Which one is connected to the antenna depends on how it's rotated, while the other two end up flush against those rectangles. Only the one with the antenna gets enough signal to respond, so only that tag can be read.
(DIR) Post #AzuP9wN7nbn0HhMpO4 by jackeric@beige.party
2025-11-04T17:25:53Z
0 likes, 0 repeats
@foone oooh that is so smart
(DIR) Post #AzuPm8OlX87saWLZho by foone@digipres.club
2025-11-04T17:32:33Z
0 likes, 0 repeats
@jordan wait if I'm pregnant does that mean I can use the carpool lane?
(DIR) Post #AzuPsDEWTEwJJvSDa4 by foone@digipres.club
2025-11-04T17:33:40Z
0 likes, 0 repeats
@domi it might be that they're counting that these will only last a couple years, but if they cost 1/10th as much as the old tags they can just replace them every couple years
(DIR) Post #AzuQ71JZ4AQqhOsCtE by IntrepidVector@glaceon.social
2025-11-04T17:36:18Z
0 likes, 0 repeats
@foone yeah, they love doing that down there. You see a lot of "Geaux Tigers!" in football season, for example
(DIR) Post #AzuQeoaKttez45pgOG by amsomniac@mastodon.mit.edu
2025-11-04T17:42:32Z
0 likes, 0 repeats
@foone yeah there was a presentation about this a little while ago https://www.youtube.com/watch?v=q9_8F_BKeto
(DIR) Post #Azuuzhm8PYgqeREEV6 by nav@mstdn.social
2025-11-04T23:22:38Z
0 likes, 0 repeats
@foone THAT is clever. What does the occupant selection actually do? Does it get charged at different rates or is it purely stats collection?
(DIR) Post #Azv5E3CCZB92gItsrg by foone@digipres.club
2025-11-05T01:17:29Z
0 likes, 0 repeats
@nav different rates, yeah. and sometimes at rush hour a carpool lane will be 2+ people only
(DIR) Post #AzvA1JaYo3PfWs2ZYe by FurryBeta@shark.community
2025-11-05T02:11:17Z
0 likes, 0 repeats
@foone When I read the label on the battery, my first thought was was “let’s throw it in boiling water and see what happens”
(DIR) Post #AzvD0C0PoWc9aGI4BM by foone@digipres.club
2025-11-05T02:44:39Z
0 likes, 0 repeats
@FurryBeta DO NOT
(DIR) Post #AzvTkvCXhzGKLKGbgW by shadowlab@furry.engineer
2025-11-05T05:52:19Z
0 likes, 0 repeats
@foone Prepare to be underwhelmed