IM-ME USB dongle hacking

This circuit board is from the USB dongle of a Girl Tech IM-ME. [Joby Taffey] took it apart and poked around to learn its secrets. These dongles come along with the pink pager that has become a popular low-cost hacking platform. But we haven’t seen much done with the dongle itself up until now.

[Joby] used the OpenBench Logic Sniffer to gain some insight on what’s going on here. The board has two chips on it, a Cypress CY7C63803 USB microcontroller which talks to the computer over USB and also communicates over SPI with a Chipcon CC1110 SoC radio. It looks like reprogramming the Cypress chip is a no-go, so he went to work on the CC1110. The inter-chip communications data that he acquired by sniffing the SPI lines gave him all he needed to reimplement the protocol using his own firmware. As a proof of concept he to reflashed the CC1110 and can now send and receive arbitrary commands from the dongle. There’s a tiny video after the break showing a script on the computer turning the dongle’s LED on and off.

Comments

  1. cgmark says:

    I would love for someone to post some info on how to program these cypress chips. They are used in everything from keyboards and mice to ir controls. The only info I can get from cypress is you have to buy the development kits, and those are really pricey.

  2. pytey says:

    Also for those interested in slightly higher level check out Scott Albertine’s open source IM-ME drivers http://im-megpldrivers.sourceforge.net/.

    @cgmark if you are interested in the Cypress PSoC SDK and need a programmer there is a cheap route, buy the Avnet Spartan 3A development kit, this is a Xilinx FPGA development kit that also has a Cypress PSoC chip on board (handling capacitive touch and UART), the best thing about this is it is $49 and comes with a free Cypress PSoC programmer. Link – http://j.mp/daFscj

  3. nes says:

    I got the impression from the datasheeet these Cypress Encore II controllers are initially programmed through the USB connector but using something more trivial than the USB protocol. There are no details what the protocol is though and whether the firmware loader resides in the flash and thus gets overwritten by the custom firmware, or whether it lives in it’s own ROM and can be re-enabled somehow. I guess someone would need to get hold of a genuine Cypress programmer and try and reverse engineer it to know for sure.

    It would be really cool to be able to use the dongle as a programmer for the Chipcon chip.

  4. Paul Potter says:

    The more the IM-me can be hacked the better.

  5. Infrared says:

    You can purchase a low low cost development kit for the chipcon rf @ Texas Instruments and you can use the Simplifi RF or any other protocol with the set. Why hack the cypress when you can get a cheap solution from TI. You could use the firmware from the IM ME with the TI CC

  6. xorwar says:

    The cypress chip probably gets programmed through voltage control and sequential buffers on the data pin. It probably has a ROM or non-writable section for the programming code.

    Looking at this though, it looks to play the role of just USB to SPI conversion..The magic is in the software and baseband.

    FYI: Most cypress chips are obscured. I know this from trying to mess with clock-gens on some netbooks that had ACPI CPU config removed with BIOS update. They all go to OEM.

  7. george says:

    wow like 12 relative comments deleted, one revealing how to pin buffer program the cypress chip..

    I wonder how many talented people are going to bother to comment here if their comments just get wiped?

  8. nes says:

    “wow like 12 relative comments deleted, one revealing how to pin buffer program the cypress chip..”

    .. And the Googlebot seems to have missed the lot. :-/ Cypress’ legal dept must be very quick off the mark. Guess that just about wraps up any chance of retasking the im-me USB chip to do anything more useful. Even if you could you couldn’t tell anyone about it.

  9. walt says:

    i remember when dongle meant…

    DONGLE: 1. (computer science) an electronic device that must be attached to a computer in order for it to use protected software.

    you’ve got to love watching the slow decay of terminology. wtf people!

  10. psocuser says:

    cypress chip can be reprogrammed, but you need a $40 in circuit serial programmer connected to the right pins. Not hard to do. Check and see if the usb line has 20-27 ohm resistors on the D+ and D- lines as well as ~100 ohm resistors going to different pins. If the ~100 ohm resistors are there, you can use a bastardized usb cable and a cypress programmer to reprogram the chip. As someone else mentioned though, the chip merely functions as a usb bridge to the radio and that particular chip isn’t packing a large amount of memory anyway.

  11. mr x says:

    These are super cheap on eBay UK right now because the highstreet shops have stopped selling them. They were getting too many returns because it’s a closed IM/SMS platform – the very feature you’d think paranoid parents would love? It’s also been marketed at the poor parent who is weak when it comes to pester-power. Any kid worth their salt today has a netbook right?!

  12. Joby Taffey says:

    The communications protocol between the Cypress and CC1110 is still not completely understood.

    I now favour using a serial port wired onto the CC1110 instead – http://blog.hodgepig.org/2010/11/23/im-me-dongle-uart/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,990 other followers