Jump to content

TouchTunes Jukebox PIN Discovery With The YSO


Recommended Posts

V0.4 has been released!


  • TX all commands as you would with the remote!
  • Passive PIN discovery!
  • Brute Force a command, loops threw all 256 PINs for a single command!
  • Dank ass meme's!
  • Booze, Chicks/Dudes and more!


No piratical application but here's a script that uses the YSO (or any other CC1111 radio that uses RfCat) to emulate, brute force, and listen for the TouchTunes Jukebox remote transmissions. With this power you could skip songs, turn up/down the volume, or possibly add promotion credits for free songs. For research purposes only of course :D.


-=Here's the quick and dirty on how I reversed this remote=-

This project all started 2 years ago when my wife and I dropped $20 at the local gay bar to listen to some filthy Dubstep, rad ass EDM, and Beck.  After inserting that Jackson, I realized my grand idea of saving money isn’t working out… (We spent $120 that night… $40 on the jukebox…) Next morning, hung over and sad, I made it my mission to figure out how to get free music out of this Jukebox. This is how I started, and here’s how I bumbled my way to to figure out an IoT Jukebox known as TouchTunes.

I would just say research but TBH what I did wasn’t that sexy. Armed with my skill of “Google Fu” I found various manuals about the device. I found some good information in these manuals and it gave me a few ideas on how to score free jams.

http://productwarranty.touchtunes.com/download/attachments/655383/900475-001-Virtuo Installation and Setup Guide-Rev08.pdf?api=v2  

http://productwarranty.touchtunes.com/download/attachments/1572899/900203-002-Dashboard User Guide-Rev00.pdf?version=1


-=I called random strangers and sat at a bar=-
I made a few phone calls to random TouchTunes Techs who specialize in repairing these devices and got a lot of good info for them. I learned it was Linux box, everything is encrypted, It costs money to own the key, everything is locked down, and you need to own ~10 of them to get true admin rights. I wanted a way to experiment with a VM of the OS to figure out how it ticked. Because I don’t have $5000 laying around I’m kinda forced to black box this device. Thanks to a few local bars who had their IoT Juke box on the public WiFi, I was able to take a quick gander. Sadly the techs where right… It’s locked down... I’ll revisit this approach latter when I can save up for my own personal Jukebox lol. You can also add credits via the Internet BTW. Try to see if there’s a way to make the Jukebox believe I’m god and make it sing and dance.

-=Three things I learned=-
1.) You can fill the queue with music to play with out paying for it. This was a marketing plan to make people more committed to pay for music if they made a queue first.

2.) If configured, the jukebox can be set up to receive “promotional credit”. Bar tenders and or managers can add to the balance so more music could be played. This is added by pressing the ‘P1’ button the wireless remote…

3.) There is a wireless remote! It, transmits on 433.92 MHz and it can be found for $50 on ebay!


-=My plan of attack=-

  1. Add music to the queue
  2. Add promotion points
  3. Get free music!

-=I spent money=-
Because I’m cheap, I picked up a after market remote that works with all TouchTunes Jukebox’s Gen 2 and above. The plan was to reverse this remote with my Yard Stick One and HackRF and try to figure out how it works. The remote only has 256 PIN provabilities to keep neighboring bars from walking on each other so I could just hand jam all 256 PIN’s (000-255) to figure out which one they are using. 9 times out of 10, it was 000.  So yah, nothing complex here.


-=Reversing… Kinda…=-
The first thing I did was find the FCC data, not a lot of useful info here but I at least figured out it existed.


I used a HackRF with the 'osmocom_fft' to monitor and record the wireless remotes transmissions. I then took a look of the raw IQ data with 'inspectrum' to see what I was dealing with.

Below is what the On/Off command looks like with a 000 PIN.


With this I know I'm working with ASK/OOK. The message in raw binary is...

1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1,

In Hex it would be...


I found this by right clicking and added an 'Amplitude Plot in 'inspectrum', moved the bar over the transmission, added a 'Threshold Plot', clicked 'Enable cursors' to count out how many symbols are being used (also tells you the Symbol Rate) and then right clicked to 'Extract Symbols' and the values where outputted in the terminal.


At this point I switched from using an SDR to RfCat and the YSO. After figuring out the preamble was 1111111111111111 or FFFF in hex, Modulation (ASK/OOK), and symbol rate (~1766) I was able to create a script based off Michael Ossmann's work to help me record the data.


After a lot of beer and recording every PIN possibility for the On/Off a few patterns emerged. If you want to look threw all my data you can check out the paste bin below but here's what I believe how the transmission is formated.

==Preamble==  ==key==    ==Mesage==     ==?==
 ffff00a2888a2     aaaa       8888aa2aa22        20

I still no idea what the last 2 hex values are about (I noticed that their where 2 possible messages for each command depending on what PIN was. The last 2 where either 02 or 88... I couldn't figure out the pattern so I just hard coded when which command was used vs the other depending on what PIN  in my final script)


-=After that=-

I expand the original script I used to record all the transmissions of the remote and added a passive PIN discovery feature to it. I then recorded all the message's (All the buttons) the remote would send (Both potabilities) and added the ability to determine which command was used. A week later I figured out how to TX the decoded values and I made a working TouchTunes remote for the YSO. And it's been tested. :D



Link to comment
Share on other sites

  • 3 weeks later...
  • 4 weeks later...
On 3/3/2017 at 3:04 PM, daredevilmodzz said:

Why is it that the user manual says it uses FSK but your article demonstrated that the controller actually uses ASK? 

No clue! Threw me for a loop when I first got the remote. 

Link to comment
Share on other sites

  • 10 months later...
  • 7 months later...
On 1/18/2017 at 11:19 AM, barry99705 said:

Most of the members of this forum won't get the Fonz reference.

I think anyone who is serious about this profession/hobby/culture will get the reference.

Link to comment
Share on other sites

  • 10 months later...

I have just found an old Allegro Touchtunes jukebox in excellent condition in a garage I emptied out. 

I turned it on, it loaded and then the screen said it was deactivated. Does anyone know how to reactivate it or bypass this so I can use my own music or something like that?


Thank you in advance! 

Link to comment
Share on other sites

  • 3 months later...
  • 2 years later...
  • 4 weeks later...

Feel stupid for asking this here, but how do you even do all of this? I honestly have no idea what any of this means, and probably none of the tech-knowhow to do it myself.
If it is too complicated to explain, could I just buy the remote from PressOnProducts with the same functionality?

Link to comment
Share on other sites

  • 9 months later...

When he says that the symbol rate is 1766, does anybody know what that refers to? The "shorts" (10) and "longs" (1000) have different durations. Or does it mean literal bits per second, like a "long" would be four "symbols?" 

Sorry, both programming and radio are very out of my wheelhouse and I'm trying to port this over to a cheap $0.50 433 mhz module I've got attached to a microcontroller running circuitpython. I've got everything pretty much working, but I need to know the duration of the pulses so I don't spend hours trying different pin values and troubleshooting, only to learn I've accidentally doubled or halved the symbol rate. 

Right now, I believe a "short" should have a duration of 566 microseconds, and a "long" 1968 microseconds. The preamble begins with a pulse of duration 9056 us, followed by a silence of 4528 us. Can anyone confirm or deny this? It looks like there used to be a photo on the post with this information but the hosted image has expired.


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...