Reverse Engineering An RF Clicker

[Travis Goodspeed] has pulled apart a TurningPoint response card, which is an RF device for answering quizzes, attendance checks,  and casting votes in a classroom setting. After tearing it apart, he set out to reverse engineer it and managed to get quite a lot done. At this point he can spoof cards, so he could fake his or several people’s attendance. He can also sniff the packets as they are sent, opening up a plethora of opportunities to mischief. The one that was mentioned in the tip line was to simply repeat the answer that was most often sent for the quizzes. The writeup is very detailed and has great pictures. Good job [Travis].

[thanks Springuin]

17 thoughts on “Reverse Engineering An RF Clicker

  1. I was planning on doing this with my clicker as well (brand: einstruction). It runs a Motorola cpu with a separate RF chip and firmware is on a eeprom. It also has 6 test pins labelled PROG in the battery compartment.

  2. So after a good number of correct answers are received you make a transceiver auto-answer for you. You first need to record your own transmitter ID by pressing a special combination and then just fake pressing a button for each question. Somehow this feels like cheating.

  3. Beyond all of the comments so far. I am surprised Turning Point hasn’t created secure encryption software in preparation for this type of hacking. (I am betting the OEM engineers thought of it but didn’t press the issue because of time to market and cost constraints.) Really, this type of hacking can make or break a company. I’m jumping over a lot of discussion. But in the end, I think pushing companies to do their best or bust is a good thing.

  4. BTW, I am happy to see some real math here at “…repeat the answer that was most often sent for the quizzes…”. A subject interesting enough to launch a short on last season’s NOVA Science Now:

    Basically the story goes (from “In 1906 Galton visited a livestock fair and stumbled upon an intriguing contest. An ox was on display, and the villagers were invited to guess the animal’s weight after it was slaughtered and dressed. Nearly 800 gave it a go and, not surprisingly, not one hit the exact mark: 1,198 pounds. Astonishingly, however, the mean of those 800 guesses came close — very close indeed. It was 1,197 pounds.”

    Dry, I know, but this sort of stuff props up the notion hackers do think from time to time.

  5. This is exactly the kind of tinkering I’ve thought of with the i>clicker system. I wouldn’t use it for evil, but rather for meddling (spoof everyone’s vote when it is a participation question so everyone gets it wrong and watch the instructor freak).

    Something I’d like to do once I get a bit further into my EE/CpE degrees.

  6. To answer the question about why secure encryption hasn’t been added to these clicker systems, it’s mostly that A) these companies don’t typically feel student users would be smart enough to hack them and B)the typical user would only have his/her hands on one for less than an hour unless it was snuck out of classroom without permission.

    Given the expense of these systems and the cost of replacing even one clicker, I’m surprised anybody with legitimate access to one actually decided to tear one down (let alone the numbers I’ve read about here). Mostly, the only way for an average hacker to get these clickers is by theft or “borrowing” from a classroom’s set.

    From a teacher’s point of view, while I’m happy to see some students thinking, hacking and doing the math and programming needed for this project, I sure hate the idea of instructional funding possibly being abused since it’s so hard to come by.

  7. @Tod: They may loan these clickers out to students at some institutions, but at MTU they have students buy their own. They also aren’t that expensive…only about $30 for one.

  8. it would be great to have an open source clicker system (i-clicker claims to be, but i have never seen any source code).
    it would also be useful for class room use: with a free protocol at the base station, clickers could be used for anything one could script!
    group the clickers and show group progress, have different students answer different assignments, sign up for different assignments using clickers..

    i’d really love to see an open clicker system. with an open source base unit, one could even use it at home as a long range remote control, to control the lights or the sprinkler. and
    the cheating problem could be taken care of with an asymmetrical encryption system

  9. @Tod: You are required to purchase these at the institution I work for. How could they be loaned out in class when each clickers id is assigned to an individual person for grading purposes?

    The idea that there is no encryption because the manufacturers assume that students are not intelligent enough to hack it seems pretty absurd to me. Someone dropped the ball on this.

  10. Why do people still use the 8051? While the communication is dead simple, he was able to extract the entire rom from it. Its much harder to do this from a fused locked PIC or AVR. (Not imposable, just harder)

    Hell, even a TEA encryption using the serial number would be preferable. Very least you can’t real-time decrypt it for tests:P

  11. Paul said: “Why do people still use the 8051?…”

    I believe because the Intel patents have run out on the design – so no royalties. It’s 2nd sourced by everyone – which is way important – especially these days when no one stocks parts. Also, I can’t believe, with the dozens of variations, you can’t find one with secure programming memory.

  12. Does anyone know what the output of the clickers is? I mean, I’d love to design software for the simplest einstruction clickers but what is the output for each clicker and each answer that the computer actually sees? Anyone????

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.