[HN Gopher] Reverse engineering a restaurant pager system
___________________________________________________________________
Reverse engineering a restaurant pager system
Author : edward
Score : 179 points
Date : 2024-06-15 20:37 UTC (1 days ago)
(HTM) web link (k3xec.com)
(TXT) w3m dump (k3xec.com)
| perth wrote:
| Noticed this person didn't want people to access the code for
| fear of misuse. Thankfully, someone else has already made this
| for flipper zero before them and released the code!
|
| https://github.com/leedave/flipper-zero-meal-pager
| thedrexster wrote:
| << Does this even work: I don't know. It's based on intel
| collected from other people. The Flipper sends data, I checked
| that with a second flipper. I've also heard rumors that it
| works in Australia. I'm sure it doesn't work in the US, as they
| use different frequencies. >>
|
| I mean, that's helpful, but....
| ziggy_star wrote:
| It would be kind of less interesting if they just figured it
| _all_ for you and served it up on a silver platter don 't you
| reckon? Where is your phreaking spirit at? :)
|
| In the before computers times there was an ironically titled
| book called 'Steal This Book'.
|
| Amongst a verity of other things it describes one of the
| funniest and most beautiful hacks I've ever heard of. I'm
| leaving this as a hint for others for fun or the rare cases
| that I know are on here that absolutely need to eat without
| money.
|
| It requires one trusted accomplice and an all you can eat
| buffet. The rest is up to you to find out. It always works
| flawlessly and has for over half a century.
| enoch_r wrote:
| That book strongly reminds me of this review of "On the
| Road":
|
| > On The Road seems to be a picture of a high-trust
| society. Drivers assume hitchhikers are trustworthy and
| will take them anywhere. Women assume men are trustworthy
| and will accept any promise. Employers assume workers are
| trustworthy and don't bother with background checks. It's
| pretty neat.
|
| > But On The Road is, most importantly, a picture of a
| high-trust society collapsing. And it's collapsing
| precisely because the book's protagonists are going around
| defecting against everyone they meet at a hundred ten miles
| an hour.
| ziggy_star wrote:
| Well observed. The very ending of On The Road itself
| addresses this if you read carefully, Kerouac did not
| lack in self awareness.
|
| But then again he was a yuppie not a hippie trying to
| levitate the pentagon so that all the evil spirits fall
| out. ;)
|
| And here we are where we are eh?
| Rediscover wrote:
| Kerouac aside, wasn't it the yippies (not yuppies) that
| were doing the Pentagon performance?
|
| ISTR yuppies were years after the Youth International
| Party (and quite different).
|
| Anyone?
| ziggy_star wrote:
| Sorry I really bungled it up. Blame autocorrect and lack
| of coffee.
|
| Meant to say Kerouac was a beatnik, Abbie was a yippie
| who inspired a generation of dirty hippies.
|
| And we've sunk further still but I don't know that there
| is a lasting term yet. Maybe it will be NPC? I favor
| Quaranteenie (which makes less sense but sounds more fun,
| I mean by it a teenager who was locked up during their
| formative years and ended up a politically active
| mentally ill ignoramus)?
| dylan604 wrote:
| > Where is your phreaking spirit at?
|
| You gotta keep in mind that there is a sizeable portion of
| any hacker culture that doesn't want to (or can't) do any
| part of the actual hacking that gets things figured out,
| but instead just want to use what was figured out in ways
| not intended by the original purpose of whatever was
| hacked. One might say the script kiddies of the physical
| side of things.
|
| There are way more cooks in the kitchen than chefs.
| MadnessASAP wrote:
| To put it a little nicer, there's many skills encompassed
| by the title "hacker". There is no such thing as a
| universal jack of all trades hacker. Some are better at
| software, some are more comfortable in hardware. The RF
| hackers have a whole bundle of sub specialties.
| whartung wrote:
| I want to know how when you see a stack of pager, each one knows
| its position in the stack so that when the stack decides to go
| into "attract" mode, it animates them one by one, like an
| elevator going up.
|
| Somehow when they stack, they know where they are relative to the
| other pagers (at least something does).
| jrussino wrote:
| If I recall, they have female port connectors on the bottom and
| little male prong connectors that mate with them on top. I
| assume that is mainly for power connection, so you can put a
| whole stack on a charger and charge them all simultaneously.
| But if they can sense a signal on the female pins then that's
| sufficient to enable the behavior you're describing without
| directly knowing the positions of each pager, right? Pager on
| the bottom sees a signal on its female pins, blinks its light,
| send the signal on its male pins, then the next pager above
| sees the signal on its female pins, blinks its light, sends the
| signal on its male pins, etc...
| Cerium wrote:
| I think that is the whole trick - they look like they are all
| in parallel on four wires, but really two of the wires are
| daisy chained through each device (like serial LEDs). In this
| configuration you can do the light tricks without knowing the
| order, but you can also enumerate the order. I have seen
| addressing based on hop counting, or by appending your ID to
| "who are you" message.
|
| Eg: Host sends "who are you" first device appends an ID
| number and then propagates the message forward in the chain.
| Each device does the same, until the last device in the chain
| (which detects electrically or via a timeout that there are
| no more devices) decides to loop the message back to the
| host.
| ssl-3 wrote:
| Looking at photos on Google Images, it looks like the pagers in
| question have just two pins on the top, and two more mating
| pins on the bottom.
|
| Obviously, that's for power delivery: They stack to charge.
|
| But it seems like data must be sent (in one direction) through
| the stack at the same time that charging happens -- to set IDs,
| and to let attract mode work.
|
| One way I can conceive of to allow this to happen is by
| reversing polarity: Send power with one polarity for a 0, and
| in the opposite polarity for a 1.
|
| Once a pager has some data, it can pass it along to the one
| stacked above it by doing the same thing -- in a manner not
| dissimilar to how things like RGB LED strings do.
|
| Charging can happen at the same time as this data is received
| (and potentially modified) and then retransmitted by using a
| bridge rectifier in each unit for the charging circuit, so that
| (as far as the battery bits can see) the polarity remains
| constant.
|
| (This sounds complex and slow, but using things like diodes and
| MOSFETs is cheap at mass production PCB stuffing scales, and
| the data rate needn't be fast. It may even be cheaper to do it
| this way than a more complex assembly with dedicated data
| pins.)
| kragen wrote:
| this is a great idea. you don't even need a bipolarity
| driver, just an h-bridge. though if you do have plus and
| minus rails plus ground, you only need two transistors
| ssl-3 wrote:
| How do you mean?
|
| There are only two contacts between any device and the
| device below it, according to the photos. This trend
| continues upward for all subsequently-connected devices.
|
| An interface with +, -, and ground implies three contacts.
| kragen wrote:
| i mean you connect one wire to ground and switch the
| other wire between - and + with two transistors, thus
| reversing polarity on it in a way that can be used to
| signal information while also efficiently transferring
| power (though only a quarter of the power you could
| transfer with an h-bridge across rails of the same
| voltage)
|
| basically rs232 signaling with just tx and ground
| fragmede wrote:
| Or you could have a fixed clock and sample based on that, so
| no having to deal with reverse polarity. This is the
| restaurant industry though, so assume they'll get wet and the
| the worst possible combination of pins get shorted, so design
| the circuit to be as tolerant of that as possible. Also
| consider the 4 pins getting into conductive fluid electrified
| with AC.
| ssl-3 wrote:
| Perhaps. Can you elaborate on how your own idea works? I
| think I know what you mean, but I'd like for it to be
| explained.
|
| My own idea implies a potential of ~100% charging duty
| cycle even as low-speed data is being transferred, and
| that's good because charging seems to be the primary goal
| here in this application.
|
| (My other idea, that I have not yet espoused, involves a
| waveform on top of a fairly-constant charging voltage. It
| can perform asynchronously, and might even be just
| amplitude modulation. But it probably means more parts and
| complexity than my first idea involves: Functional analog
| filters always seem to take a handful of parts to get the
| it right, whereas my polarity-swap idea only uses a couple
| of high-tolerance jellybean MOSFETs and some parts-bin
| diodes.)
| yencabulator wrote:
| LED strips have 3 pins (power, data, ground) but if you don't
| care about exact power levels maybe you can modulate power to
| send data.
|
| Protocol-wise, WS2812B for LEDs works basically by having every
| LED along the way take the first X bytes, interpret as a
| command to themselves, and forward the rest -- and that's how
| you can address a 100 LEDs on one data line.
| theamk wrote:
| > around 858 microseconds (0.000858 seconds per symbol), which is
| a weird number, but maybe I'm slightly off or there's some larger
| math I'm missing that makes this number satisfyingly round
|
| 1/858e-6 sec = 1165 Hz. They were likely trying for 1200 Hz, but
| the crystal was a bit off.
| kragen wrote:
| 1200 baud is a standard baud rate and I think 3% is within
| tolerance. probably not a crystal though or it would be much
| closer
| bragr wrote:
| Looking at the system for sale [1] now, the lack of security
| seems to be one of their selling points:
|
| >Multiple keyboards call the same pager. The pager system long
| range supports multiple keyboard call the same restaurant pagers.
|
| As an aside, all the church nursery references stand out to me.
| Are pager systems common for that and am I just out of touch?
|
| [1] https://www.amazon.com/Retekess-Restaurant-Adjustable-
| Remind...
| hobs wrote:
| It's a silent way of notifying the parent their attention is
| needed when they are in the pews.
| tgsovlerkhgsel wrote:
| I honestly appreciate the decision to not release the code ("I'm
| not going to be publishing this code since I can't think of a
| good use anyone would have for this besides folks using a low
| cost SDR and annoying local resturants"). All too often have I
| seen security researchers release fully weaponized attack tools
| that then promptly get used by attackers (and not the pranking
| kind of attackers either).
|
| Could the attacker write it themselves? Probably. Will reducing
| the cost by providing ready-made code increase attacks? Almost
| certainly. I wish that more people would consider whether
| releasing the code will be a net benefit (by enabling legitimate
| research, education, proof-of-concept demonstrations of
| vulnerability) or harm (by enabling malicious attacks). Even if
| the underlying exploit/vuln/feature is the same, form matters: A
| ready-to-use attack toolkit with multi-client management
| capability is much more likely to be useful to attackers than
| defenders, where a simple proof of concept that is hardcoded to
| show a pre-defined message with no _easy_ way to change that is
| much less likely to be reused maliciously.
|
| And pranking a pager system sounds pretty harmless, until you
| realize that a restaurant is likely quite strongly relying on it
| and essentially DoS'ing it has the potential to affect their
| business.
| SoftTalker wrote:
| Restaurants used to just give you a number and they'd have a
| light-up display of the number(s) ready to be seated. Fairly
| immune to hacking but does require the customer to stay in
| visual range of the display and remember to keep an eye on it.
|
| Or they would take reservations in advance, but almost none do
| that anymore.
| avg_dev wrote:
| very fun article. What is a PHY?
___________________________________________________________________
(page generated 2024-06-16 23:02 UTC)