Reverse engineering an RF clicker

[Travis Goodspeed] has pulled apart a TurningPoint response card, which is an RF device for answering quizzes, attendance checks,  and casting votes in a classroom setting. After tearing it apart, he set out to reverse engineer it and managed to get quite a lot done. At this point he can spoof cards, so he could fake his or several people’s attendance. He can also sniff the packets as they are sent, opening up a plethora of opportunities to mischief. The one that was mentioned in the tip line was to simply repeat the answer that was most often sent for the quizzes. The writeup is very detailed and has great pictures. Good job [Travis].

[thanks Springuin]

Comments

  1. atrain says:

    I was planning on doing this with my clicker as well (brand: einstruction). It runs a Motorola cpu with a separate RF chip and firmware is on a eeprom. It also has 6 test pins labelled PROG in the battery compartment.

  2. tantris says:

    @atrain: i got an older einstruction (the orange-blue one). it has a nordic nrf24e1 in the clicker and a nrf24e1 plus a pic18 in the base.

  3. DarkFader says:

    So after a good number of correct answers are received you make a transceiver auto-answer for you. You first need to record your own transmitter ID by pressing a special combination and then just fake pressing a button for each question. Somehow this feels like cheating.

  4. Anon says:

    @DarkFader
    really, now
    maybe because it is cheating….

  5. cornelius785 says:

    @DarkFader

    because it is cheating.

  6. Daguava says:

    It’s not cheating, it’s working the system ;)

  7. SpeedBall says:

    No, it really is cheating. Sometimes, “Working the system” IS cheating.

  8. st2000 says:

    Beyond all of the comments so far. I am surprised Turning Point hasn’t created secure encryption software in preparation for this type of hacking. (I am betting the OEM engineers thought of it but didn’t press the issue because of time to market and cost constraints.) Really, this type of hacking can make or break a company. I’m jumping over a lot of discussion. But in the end, I think pushing companies to do their best or bust is a good thing.

  9. st2000 says:

    BTW, I am happy to see some real math here at hackaday.com: “…repeat the answer that was most often sent for the quizzes…”. A subject interesting enough to launch a short on last season’s NOVA Science Now:
    http://www.pbs.org/wgbh/nova/sciencenow/0301/04.html

    Basically the story goes (from wikipedia.org): “In 1906 Galton visited a livestock fair and stumbled upon an intriguing contest. An ox was on display, and the villagers were invited to guess the animal’s weight after it was slaughtered and dressed. Nearly 800 gave it a go and, not surprisingly, not one hit the exact mark: 1,198 pounds. Astonishingly, however, the mean of those 800 guesses came close — very close indeed. It was 1,197 pounds.”

    Dry, I know, but this sort of stuff props up the notion hackers do think from time to time.

  10. jbot says:

    This is exactly the kind of tinkering I’ve thought of with the i>clicker system. I wouldn’t use it for evil, but rather for meddling (spoof everyone’s vote when it is a participation question so everyone gets it wrong and watch the instructor freak).

    Something I’d like to do once I get a bit further into my EE/CpE degrees.

  11. Tod says:

    To answer the question about why secure encryption hasn’t been added to these clicker systems, it’s mostly that A) these companies don’t typically feel student users would be smart enough to hack them and B)the typical user would only have his/her hands on one for less than an hour unless it was snuck out of classroom without permission.

    Given the expense of these systems and the cost of replacing even one clicker, I’m surprised anybody with legitimate access to one actually decided to tear one down (let alone the numbers I’ve read about here). Mostly, the only way for an average hacker to get these clickers is by theft or “borrowing” from a classroom’s set.

    From a teacher’s point of view, while I’m happy to see some students thinking, hacking and doing the math and programming needed for this project, I sure hate the idea of instructional funding possibly being abused since it’s so hard to come by.

  12. jbot says:

    @Tod: They may loan these clickers out to students at some institutions, but at MTU they have students buy their own. They also aren’t that expensive…only about $30 for one.

  13. tantris says:

    it would be great to have an open source clicker system (i-clicker claims to be, but i have never seen any source code).
    it would also be useful for class room use: with a free protocol at the base station, clickers could be used for anything one could script!
    group the clickers and show group progress, have different students answer different assignments, sign up for different assignments using clickers..

    i’d really love to see an open clicker system. with an open source base unit, one could even use it at home as a long range remote control, to control the lights or the sprinkler. and
    the cheating problem could be taken care of with an asymmetrical encryption system

  14. Faculty says:

    @Tod: You are required to purchase these at the institution I work for. How could they be loaned out in class when each clickers id is assigned to an individual person for grading purposes?

    The idea that there is no encryption because the manufacturers assume that students are not intelligent enough to hack it seems pretty absurd to me. Someone dropped the ball on this.

  15. Paul says:

    Why do people still use the 8051? While the communication is dead simple, he was able to extract the entire rom from it. Its much harder to do this from a fused locked PIC or AVR. (Not imposable, just harder)

    Hell, even a TEA encryption using the serial number would be preferable. Very least you can’t real-time decrypt it for tests:P

  16. st2000 says:

    Paul said: “Why do people still use the 8051?…”

    I believe because the Intel patents have run out on the design – so no royalties. It’s 2nd sourced by everyone – which is way important – especially these days when no one stocks parts. Also, I can’t believe, with the dozens of variations, you can’t find one with secure programming memory.

  17. ed says:

    Does anyone know what the output of the clickers is? I mean, I’d love to design software for the simplest einstruction clickers but what is the output for each clicker and each answer that the computer actually sees? Anyone????

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s