A fantastic summertime game has consumed many of the kids in my neighborhood. It’s basically a treasure hunt, but the treasures are all shoebox-sized NFC readers that are “easily” findable on a map. Players all have a smart card and run around from box to box, collecting points that depend on how far apart the boxes are from each other. Walk, skate, or bike 1 km between check-ins, and ten points show up on the e-paper screen.
It’s been going on for a few weeks now, and it’s not uncommon to see a line of two or three kids at any given box, all with the purple lanyards and smart cards around their necks. So far, the highest-rated plausible single efforts have 450 km (280 miles) under their belt. My son’s grade-school average is 45 km (28 miles) over three weeks. The goal is getting kids out on the early summer afternoons, and that seems to be working!
Of course I had to reverse engineer the infrastructure, so here’s what I started with. Each box knows your point standing as soon as you tap the card, with a small delay. Scores appear online about every four hours. And the boxes are all ~1 km from each other or less.
My first thought was some kind of mesh network – that would be by far the coolest solution. Each box could simply report your card number to a central database, and the rest is a simple matter of software. LoRa radios rounded out my fantasy design.
But the length of time between getting the points and their appearance online suggests otherwise. And, a little bit of playing around with my cellphone’s NFC reader gives up the juice – they are MiFare Classic cards with data storage. So I got my own card, ran around town, and diffed the results. I haven’t cracked the location/time-stamping yet, but I know exactly where my total points are stored.
I’m going to keep observing until I’ve got it figured out completely, but I’m so tempted to tweak the points and see what happens. Are some of the digits in what I think are a timestamp in reality a checksum? Will I get disqualified? Or worse, what if I make a mistake and get myself publicly into first place? OK, better to sit this one out on the sidelines – I really don’t want to be the jerk who crashes a fantastic kid’s game. Sometimes you’ve gotta know when not to hack.