NotPike Posted January 18, 2017 Posted January 18, 2017 V0.4 has been released! https://github.com/notpike/The-Fonz TX all commands as you would with the remote! Passive PIN discovery! Brute Force a command, loops threw all 256 PINs for a single command! Dank ass meme's! Booze, Chicks/Dudes and more! No piratical application but here's a script that uses the YSO (or any other CC1111 radio that uses RfCat) to emulate, brute force, and listen for the TouchTunes Jukebox remote transmissions. With this power you could skip songs, turn up/down the volume, or possibly add promotion credits for free songs. For research purposes only of course :D. -=Here's the quick and dirty on how I reversed this remote=- So… This project all started 2 years ago when my wife and I dropped $20 at the local gay bar to listen to some filthy Dubstep, rad ass EDM, and Beck. After inserting that Jackson, I realized my grand idea of saving money isn’t working out… (We spent $120 that night… $40 on the jukebox…) Next morning, hung over and sad, I made it my mission to figure out how to get free music out of this Jukebox. This is how I started, and here’s how I bumbled my way to to figure out an IoT Jukebox known as TouchTunes. -=Reading=- I would just say research but TBH what I did wasn’t that sexy. Armed with my skill of “Google Fu” I found various manuals about the device. I found some good information in these manuals and it gave me a few ideas on how to score free jams. http://productwarranty.touchtunes.com/download/attachments/655383/900475-001-Virtuo Installation and Setup Guide-Rev08.pdf?api=v2 http://productwarranty.touchtunes.com/download/attachments/1572899/900203-002-Dashboard User Guide-Rev00.pdf?version=1 http://www.touchtunes.com/media/marketing_resources/Remote_Control_Users_Guide_1.pdf -=I called random strangers and sat at a bar=- I made a few phone calls to random TouchTunes Techs who specialize in repairing these devices and got a lot of good info for them. I learned it was Linux box, everything is encrypted, It costs money to own the key, everything is locked down, and you need to own ~10 of them to get true admin rights. I wanted a way to experiment with a VM of the OS to figure out how it ticked. Because I don’t have $5000 laying around I’m kinda forced to black box this device. Thanks to a few local bars who had their IoT Juke box on the public WiFi, I was able to take a quick gander. Sadly the techs where right… It’s locked down... I’ll revisit this approach latter when I can save up for my own personal Jukebox lol. You can also add credits via the Internet BTW. Try to see if there’s a way to make the Jukebox believe I’m god and make it sing and dance. -=Three things I learned=- 1.) You can fill the queue with music to play with out paying for it. This was a marketing plan to make people more committed to pay for music if they made a queue first. 2.) If configured, the jukebox can be set up to receive “promotional credit”. Bar tenders and or managers can add to the balance so more music could be played. This is added by pressing the ‘P1’ button the wireless remote… 3.) There is a wireless remote! It, transmits on 433.92 MHz and it can be found for $50 on ebay! -=My plan of attack=- Add music to the queue Add promotion points Get free music! -=I spent money=- Because I’m cheap, I picked up a after market remote that works with all TouchTunes Jukebox’s Gen 2 and above. The plan was to reverse this remote with my Yard Stick One and HackRF and try to figure out how it works. The remote only has 256 PIN provabilities to keep neighboring bars from walking on each other so I could just hand jam all 256 PIN’s (000-255) to figure out which one they are using. 9 times out of 10, it was 000. So yah, nothing complex here. -=Reversing… Kinda…=- The first thing I did was find the FCC data, not a lot of useful info here but I at least figured out it existed. https://fccid.io/2AHXI-T1 I used a HackRF with the 'osmocom_fft' to monitor and record the wireless remotes transmissions. I then took a look of the raw IQ data with 'inspectrum' to see what I was dealing with. Below is what the On/Off command looks like with a 000 PIN. With this I know I'm working with ASK/OOK. The message in raw binary is... 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, In Hex it would be... FFFF00A2888A2AAAA8888AA2AA2220 I found this by right clicking and added an 'Amplitude Plot in 'inspectrum', moved the bar over the transmission, added a 'Threshold Plot', clicked 'Enable cursors' to count out how many symbols are being used (also tells you the Symbol Rate) and then right clicked to 'Extract Symbols' and the values where outputted in the terminal. -=RfCat=- At this point I switched from using an SDR to RfCat and the YSO. After figuring out the preamble was 1111111111111111 or FFFF in hex, Modulation (ASK/OOK), and symbol rate (~1766) I was able to create a script based off Michael Ossmann's work to help me record the data. https://github.com/mossmann/stealthlock/blob/master/sl.py After a lot of beer and recording every PIN possibility for the On/Off a few patterns emerged. If you want to look threw all my data you can check out the paste bin below but here's what I believe how the transmission is formated. ==Preamble== ==key== ==Mesage== ==?== ffff00a2888a2 aaaa 8888aa2aa22 20 I still no idea what the last 2 hex values are about (I noticed that their where 2 possible messages for each command depending on what PIN was. The last 2 where either 02 or 88... I couldn't figure out the pattern so I just hard coded when which command was used vs the other depending on what PIN in my final script) -=After that=- I expand the original script I used to record all the transmissions of the remote and added a passive PIN discovery feature to it. I then recorded all the message's (All the buttons) the remote would send (Both potabilities) and added the ability to determine which command was used. A week later I figured out how to TX the decoded values and I made a working TouchTunes remote for the YSO. And it's been tested. :D http://pastebin.com/Ue7UYAPg http://www.pressonproducts.com/t1-jukebox-remote-touchtunes-compatible/
barry99705 Posted January 18, 2017 Posted January 18, 2017 Most of the members of this forum won't get the Fonz reference.
NotPike Posted January 18, 2017 Author Posted January 18, 2017 5 hours ago, barry99705 said: Most of the members of this forum won't get the Fonz reference. #Late20sProblems :3
Mr-Protocol Posted January 19, 2017 Posted January 19, 2017 Oh, Happy Days. I'm actually shocked the remote uses RF instead of IR. Good find.
NotPike Posted January 20, 2017 Author Posted January 20, 2017 7 hours ago, Mr-Protocol said: Oh, Happy Days. I'm actually shocked the remote uses RF instead of IR. Good find. Thank you :3
NotPike Posted February 7, 2017 Author Posted February 7, 2017 -=UPDATE=- V0.4 has been released. https://github.com/notpike/The-Fonz TX all commands as you would with the remote Passive PIN discovery Brute Force a command, loops threw all 256 PINs for a single command. Dank ass meme's! Booze, Chicks/Dudes and more!
daredevilmodzz Posted March 3, 2017 Posted March 3, 2017 Why is it that the user manual says it uses FSK but your article demonstrated that the controller actually uses ASK?
daredevilmodzz Posted March 3, 2017 Posted March 3, 2017 Great article btw, reminds me of someone doing this back in 2013
NotPike Posted March 8, 2017 Author Posted March 8, 2017 On 3/3/2017 at 3:04 PM, daredevilmodzz said: Why is it that the user manual says it uses FSK but your article demonstrated that the controller actually uses ASK? No clue! Threw me for a loop when I first got the remote.
NotPike Posted January 10, 2018 Author Posted January 10, 2018 Update V0.8! Faster Brute Forcing Added a Electronic Warfare Mode (tactical jamming) *Illegal don't use this, POC only* https://github.com/notpike/The-Fonz
Mr-Protocol Posted January 11, 2018 Posted January 11, 2018 Wish I had the time lol. Good work though.
NotPike Posted January 15, 2018 Author Posted January 15, 2018 On 1/11/2018 at 9:13 AM, Mr-Protocol said: Wish I had the time lol. Good work though. Ahh thank you! <3
e-Euler Posted September 6, 2018 Posted September 6, 2018 On 1/18/2017 at 11:19 AM, barry99705 said: Most of the members of this forum won't get the Fonz reference. I think anyone who is serious about this profession/hobby/culture will get the reference.
barry99705 Posted September 6, 2018 Posted September 6, 2018 10 hours ago, e-Euler said: I think anyone who is serious about this profession/hobby/culture will get the reference. It was more of a "the show ended about 20 years before the average user here was born" comment. ? 1984 if you're curious.
Supermario02451 Posted July 26, 2019 Posted July 26, 2019 I have just found an old Allegro Touchtunes jukebox in excellent condition in a garage I emptied out. I turned it on, it loaded and then the screen said it was deactivated. Does anyone know how to reactivate it or bypass this so I can use my own music or something like that? Thank you in advance!
Speed45 Posted November 10, 2019 Posted November 10, 2019 So I am interested in this. Anyone have step by step instructions and where I go to buy everything that is needed for a jukebox gen 3 machine.
comp6062 Posted June 10, 2022 Posted June 10, 2022 On 6/6/2022 at 8:17 PM, WhatTheEfffMan said: The repo is gone, does anyone have a mirror? found it and copied it https://github.com/comp6062/The-Fonz
Fleeb Posted July 7, 2022 Posted July 7, 2022 Feel stupid for asking this here, but how do you even do all of this? I honestly have no idea what any of this means, and probably none of the tech-knowhow to do it myself. If it is too complicated to explain, could I just buy the remote from PressOnProducts with the same functionality?
NotJustPat Posted April 24, 2023 Posted April 24, 2023 When he says that the symbol rate is 1766, does anybody know what that refers to? The "shorts" (10) and "longs" (1000) have different durations. Or does it mean literal bits per second, like a "long" would be four "symbols?" Sorry, both programming and radio are very out of my wheelhouse and I'm trying to port this over to a cheap $0.50 433 mhz module I've got attached to a microcontroller running circuitpython. I've got everything pretty much working, but I need to know the duration of the pulses so I don't spend hours trying different pin values and troubleshooting, only to learn I've accidentally doubled or halved the symbol rate. Right now, I believe a "short" should have a duration of 566 microseconds, and a "long" 1968 microseconds. The preamble begins with a pulse of duration 9056 us, followed by a silence of 4528 us. Can anyone confirm or deny this? It looks like there used to be a photo on the post with this information but the hosted image has expired.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.