66% or better

“Clicker” hacking

Clicker

Here’s another IR hack released at Toorcon. ¬†SurveySays (from Midnight Research Labs) is software that will intercept signals from remotes or “clickers” that universities use for test and quiz taking in class. According to the site, there are over a million of these remotes out there at hundreds of schools (UC Berkeley and SFSU to name a couple around [sith]‘s area). SurveySays will display the most commonly given answer by the classroom on the screen and will also issue a trigger after every round. You can send in this answer automatically, for you or for a group of friends =). Have fun!

[thanks sith]

Comments

  1. rsd says:

    If only it could detect the correct answer! ;)

    btw, first post!

  2. rsd says:

    If only it could detect the correct answer! ;)

    btw, first post!

  3. John says:

    just the other day I was looking at these at my campus bookstore, and was wondering how they could be hacked. Great to see that people are working on it.

  4. furtim says:

    I’m not immediately seeing how you’re supposed to receive directional IR signals from multiple devices pointing away from you. I get the part where it’s using LIRC to snoop for signals, but I don’t understand how the signals are actually supposed to reach your IR sensor in a real-world environment.

    It’s nifty but seems impractical to me. It’d also be nice to see testing results for more than one clicker operating simultaneously.

  5. scott says:

    when i was told i needed one for class, the first thing that went through my head was…how can i get one of these things to flood the polls…kinda bruteforce style…just cycling through id numbers. since they took atendance with them, one indivudual could do MANY people a favor.

  6. nullset says:

    furtim,

    While it’s true that IR is directional, it’s not very directional at all. It’s more like a speaker than a laser. The other problem with IR is that it bounces ALOT. Ever pointed your TV remote in different directions to see how many different ways you can point the remote and still have it work? Same idea….

    The output of any light source for the most part is a cone. The further away you are, the larger the cone is. If these things transmitted a spot, you’d have to be really good at aiming for it to work :)

    –buddy

  7. sbulof says:

    Ya my campus uses these also, but they’ve moved over to the rf ones. that way they removed the need for the ir ones to be pointed directly to the sensors

  8. Damn! My school just switched from these IR models to the newer (more expensive) RF versions. they really are better from a non-hacking standpoint, in that in classes over 50 the recievers don’t bog down. perhaps some WRt54g action could harness the power of the rf editions. I envision having the router in my backpack with ethernet running to my laptop, showing a live graph of votes as they are placed. wicked, hehe.

  9. nullset says:

    umm…I doubt the RF modules use 802.11…. That would be ungodly expensive.

    –buddy

  10. Jfalk says:

    Yes, we use the PRS ones at my school (umass amherst) and I would personally love one that could spam back registered id’s w/ answers, because attendence is taken in many classes by this method. That alone is worth breaking out the soldering iron.

  11. mirthlesssmile says:

    Yeah I bought a PRS freshman year for my astro 100 class in Hasbrouck and tha’s the only class I ever needed it for…$30 down the drain!

  12. furtim says:

    nullset, I figured on reflections, but most living rooms I’ve encountered are painted white, so the reflectivity is pretty good. Classrooms aren’t always, plus there will be more obstructions in the form of people’s heads and whatnot.

    I’d really like to see a real-world(ish) test to examine the reliability rather than just a simple undocumented “lab”-environment test results that they showed on the website. For that matter, they only showed their program’s output, not the input from the clickers. For all we know, the program could have been giving wrong results.

    There have been plenty of hacks in the past on this site with good testing documentation, so it’s not asking so much really.

  13. nullset, i understand what you’re saying, but in order for a wrt54g to *pick up* the signal it wouldn’t have to be on the 802.11 system. it doesn’t have to be 2.4ghz to listen does it. i guess i should talk to some firmware hacking folks because i really don’t know. it’s just an interesting idea.

  14. A Nonny mouse says:

    For the WRT54G to pick up a non-802.11b/g signal, you’d have to do some deep driver modification, at the very least. The Broadcom driver is not open-source, and the hardware is not publicly documented, so it would not be an easy task. To the best of my knowledge, no-one has yet produced an open-source driver for the Broadcom radio hardware on the WRT54G.

    Depending on the extent to which the radio is software-defined, you might have also have to do hardware modification. For non-2.4GHz signals, you would certainly have to modify the hardware.

    (My completely uneducated guess is that it’s a 900 MHz or 2.4 GHz device.)

    You’d probably be better off looking in to GNU Radio. Or, if you already have a receiver lying around, you could put an appropriate transverter in front of it and plug the AF output into your laptop’s microphone jack.

  15. ClickerHacker says:

    Has anyone hacked the i>clicker yet? It seems that they’ve all converted to wireless now, so infrared is a thing of the past. We just need to know what frequency and we need to know how to register the votes A-E. If somebody makes this, I know there will be hundreds who will want to buy it.

  16. fade says:

    The RF iClickers operate at 915Mhz. Any know if’s possible to get a standard 802.11g adapter to pick up the signal? That seems like it would be the only hard part… once you can pick up data it’s just a matter of packet sniffing.

  17. XLQR9 says:

    How to Hack a Smar card/ SIM Card

  18. Anonymous Coward says:

    The RF proto for the Qwizdom RF clickers is known as ZigBee, IEEE 802.15.4.

  19. wafflematt says:

    The i>clicker uses an AVR micro controller that you can easily reflash with your own firmware. I haven’t investigated the possibilities of listening to other clickers yet. The communication chip is a standard one, though.

    Way old post, but I ran across it when I was looking at what other people have done with the iclicker.

  20. Fartman says:

    Hah, first thing I thought when being forced to buy an I>Clicker was how can I flood with votes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s