NotPike Posted January 18, 2017 Share Posted January 18, 2017 (edited) V0.4 has been released! https://github.com/notpike/The-Fonz TX all commands as you would with the remote! Passive PIN discovery! Brute Force a command, loops threw all 256 PINs for a single command! Dank ass meme's! Booze, Chicks/Dudes and more! No piratical application but here's a script that uses the YSO (or any other CC1111 radio that uses RfCat) to emulate, brute force, and listen for the TouchTunes Jukebox remote transmissions. With this power you could skip songs, turn up/down the volume, or possibly add promotion credits for free songs. For research purposes only of course :D. -=Here's the quick and dirty on how I reversed this remote=- So… This project all started 2 years ago when my wife and I dropped $20 at the local gay bar to listen to some filthy Dubstep, rad ass EDM, and Beck. After inserting that Jackson, I realized my grand idea of saving money isn’t working out… (We spent $120 that night… $40 on the jukebox…) Next morning, hung over and sad, I made it my mission to figure out how to get free music out of this Jukebox. This is how I started, and here’s how I bumbled my way to to figure out an IoT Jukebox known as TouchTunes. -=Reading=- I would just say research but TBH what I did wasn’t that sexy. Armed with my skill of “Google Fu” I found various manuals about the device. I found some good information in these manuals and it gave me a few ideas on how to score free jams. http://productwarranty.touchtunes.com/download/attachments/655383/900475-001-Virtuo Installation and Setup Guide-Rev08.pdf?api=v2 http://productwarranty.touchtunes.com/download/attachments/1572899/900203-002-Dashboard User Guide-Rev00.pdf?version=1 http://www.touchtunes.com/media/marketing_resources/Remote_Control_Users_Guide_1.pdf -=I called random strangers and sat at a bar=- I made a few phone calls to random TouchTunes Techs who specialize in repairing these devices and got a lot of good info for them. I learned it was Linux box, everything is encrypted, It costs money to own the key, everything is locked down, and you need to own ~10 of them to get true admin rights. I wanted a way to experiment with a VM of the OS to figure out how it ticked. Because I don’t have $5000 laying around I’m kinda forced to black box this device. Thanks to a few local bars who had their IoT Juke box on the public WiFi, I was able to take a quick gander. Sadly the techs where right… It’s locked down... I’ll revisit this approach latter when I can save up for my own personal Jukebox lol. You can also add credits via the Internet BTW. Try to see if there’s a way to make the Jukebox believe I’m god and make it sing and dance. -=Three things I learned=- 1.) You can fill the queue with music to play with out paying for it. This was a marketing plan to make people more committed to pay for music if they made a queue first. 2.) If configured, the jukebox can be set up to receive “promotional credit”. Bar tenders and or managers can add to the balance so more music could be played. This is added by pressing the ‘P1’ button the wireless remote… 3.) There is a wireless remote! It, transmits on 433.92 MHz and it can be found for $50 on ebay! -=My plan of attack=- Add music to the queue Add promotion points Get free music! -=I spent money=- Because I’m cheap, I picked up a after market remote that works with all TouchTunes Jukebox’s Gen 2 and above. The plan was to reverse this remote with my Yard Stick One and HackRF and try to figure out how it works. The remote only has 256 PIN provabilities to keep neighboring bars from walking on each other so I could just hand jam all 256 PIN’s (000-255) to figure out which one they are using. 9 times out of 10, it was 000. So yah, nothing complex here. -=Reversing… Kinda…=- The first thing I did was find the FCC data, not a lot of useful info here but I at least figured out it existed. https://fccid.io/2AHXI-T1 I used a HackRF with the 'osmocom_fft' to monitor and record the wireless remotes transmissions. I then took a look of the raw IQ data with 'inspectrum' to see what I was dealing with. Below is what the On/Off command looks like with a 000 PIN. With this I know I'm working with ASK/OOK. The message in raw binary is... 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, In Hex it would be... FFFF00A2888A2AAAA8888AA2AA2220 I found this by right clicking and added an 'Amplitude Plot in 'inspectrum', moved the bar over the transmission, added a 'Threshold Plot', clicked 'Enable cursors' to count out how many symbols are being used (also tells you the Symbol Rate) and then right clicked to 'Extract Symbols' and the values where outputted in the terminal. -=RfCat=- At this point I switched from using an SDR to RfCat and the YSO. After figuring out the preamble was 1111111111111111 or FFFF in hex, Modulation (ASK/OOK), and symbol rate (~1766) I was able to create a script based off Michael Ossmann's work to help me record the data. https://github.com/mossmann/stealthlock/blob/master/sl.py After a lot of beer and recording every PIN possibility for the On/Off a few patterns emerged. If you want to look threw all my data you can check out the paste bin below but here's what I believe how the transmission is formated. ==Preamble== ==key== ==Mesage== ==?== ffff00a2888a2 aaaa 8888aa2aa22 20 I still no idea what the last 2 hex values are about (I noticed that their where 2 possible messages for each command depending on what PIN was. The last 2 where either 02 or 88... I couldn't figure out the pattern so I just hard coded when which command was used vs the other depending on what PIN in my final script) -=After that=- I expand the original script I used to record all the transmissions of the remote and added a passive PIN discovery feature to it. I then recorded all the message's (All the buttons) the remote would send (Both potabilities) and added the ability to determine which command was used. A week later I figured out how to TX the decoded values and I made a working TouchTunes remote for the YSO. And it's been tested. :D http://pastebin.com/Ue7UYAPg http://www.pressonproducts.com/t1-jukebox-remote-touchtunes-compatible/ Edited February 7, 2017 by NotPike 2 Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.