Cotton candy is probably the best way to eat pure sugar, which makes having your very own cotton candy vending machine to automate making it a bit of a dream. The machine that [Block’s Retro Repairs] got should therefore make him very happy, but unfortunately it was bought as defective. After digging into the machine in an earlier video, this time around there’s some actual success and proper cotton candy to enjoy.
The way that cotton candy is made involves spinning thin threads of sugar, which are created by the heating and rapid crystallization of the sweet stuff. Unfortunately this machine wasn’t even really extruding sugar any more, so it had to get a deep clean to remove probably years of crusty buildup. After this things still weren’t working right, although cranking up the temperature on the induction heated head improved the results somewhat.
To really fix the machine, this head with its clearly dodgy thermocouple had to be disassembled. This revealed that said sensor was looking rather frayed, potentially shorting out against the aluminium head and likely not in the entirely right position any more. After adding some insulation back and making sure that the thermocouple was located closer to the top of the head, it was time for more testing.
Repairing the thermocouple seems to have fixed most ills, with still some calibration of the temperature required, but finally resulting in fancy shaped cotton candy in its myriad of colors. Along with the looming hazard of potentially acquiring Type II diabetes from all the testing, there was still a problem involving the remote management feature of this Red Rabbit machine.
These $6,000 vending machines do feature an Android 7-based software with a Rockchip SoC and access to a lot of settings via its large touch screen, but features such as setting prices for the products are locked away via a remote account. The machine was sadly still linked to someone else’s account, and so far Red Rabbit support had not responded to any documentation, repair help or account unlinking requests. This has left the machine in somewhat of a pickle.
It was possible to dump the software of the machine, which can be fetched from Archive.org, so if anyone would like to pitch in and break this remote lock, that would be very welcome. It’s also considered to replace the cash reader with a simple button or so, but where’s the fun in that?
Marshmallow Peeps is the other way to get mostly pure sugar.
Now I want to put the Peeps into the cotton Candy machine.
For…..Science…..
Wooooooooooooooooohooooooooooooooooooo! A fellow Peepaholic!
Love me some Peeps. Just burned through this year’s stash a coupla weeks ago.
I actually worked for a company that sells clones of these and have tons of knowledge. Send me an email and I can see what I can do.
Reminds me of messing with coworkers who were obsessed with some mobile games in ~2016. It was easy enough to open up the database the android version of the game used, change your high score, load back into the game and send a screenshot… There was also a trivia game at the time that gave way too much trust in the client to decide the player’s rankings. You could change your local copy of the player’s stats, and next time it connected to their server it made the assumption you had been playing offline games and trusted that you really won those 5000 games in the 5 minutes since the last update… The same tools could be easily used to stuff fake SMS messages, etc. The cotton candy machine’s app probably uses the built-in android data primitives, or sqlite (depending on the OS/SDK version, they may be the same thing from what I remember?)
I remember a pinball game we used to play in school that had a highscore file that was easily editable. The score was 16-bit unsigned, and that’s how I learned ÿ has Windows-1252 value 0xFF.
Bonus points: the score ingame was 16-bit signed, so once a player got their 32768th point it overflowed and the score turned negative. The scores on the highscore list were, as noted above, unsigned, so scores between 32768 and 65535 were possible when read from the file, but not possible to achieve ingame.
Mostly posting this because I’m curious if anyone else has tried it: I just handed Claude the Archive.org dump and asked it to look at the account lock. I didn’t do any of the actual work.
It decompiled the APK and went through the logs on its own, I only pointed it at the file.
The lock is all server-side, and there’s no clearing it on the machine. On boot the machine POSTs its hardware ID (WiFi MAC reversed, plus the CPU serial) to machine/login on
http://www.gzchitu.cn. No password, nothing signed. The server takes that ID and looks up whose account owns it. No unbind anywhere in the app.
The reason you can’t set prices: pricing was never an on-device setting. The machine downloads its whole product list, prices included, as JSON from the server (the index and
machine/getDIYGoods calls). The local admin screens only do business hours, stock, volume, that sort of thing.
So forget unlocking the account. Replace the backend instead. The API client has no TLS cert pinning and no network-security-config, so you can repoint http://www.gzchitu.cn at a box you control,
hand back any token from machine/login, and serve your own index response. Setting prices then means editing a number in your own JSON. The full endpoint list (about 45 REST routes) and the
WebSocket protocol on port 20001 came straight out of the decompiled APK. Happy to post all that if someone wants to build it.
No achievement on my end, to be clear. I pointed an AI at a zip file. But it might be a useful trick for this kind of teardown.