Nice article - is the idea to communicate with the tags with their stock firmware using another CC25x series chip or dev board?<p>Unfortunately, that might be tricky without the private keys in the controller. User manual [0] describes a per site 128 bit AES keys used for the RF comms.<p>Might be easier to just write fresh firmware for them - there's some code here [1] for driving the display that could be ported to the CC2510. There's SDCC support for at least the CC2511 as used in the Pololu Wixel [2]. It's certainly possible that their cryptosystem is broken but I wouldn't bet on it.<p>0: <a href="https://fcc.report/FCC-ID/2ACQM-EDG2-0590-A/4393106" rel="nofollow">https://fcc.report/FCC-ID/2ACQM-EDG2-0590-A/4393106</a><p>1: <a href="https://github.com/atc1441/E-Paper_Pricetags/tree/main/GxEPD2_modded">https://github.com/atc1441/E-Paper_Pricetags/tree/main/GxEPD...</a><p>2: <a href="https://www.pololu.com/product/1336/resources" rel="nofollow">https://www.pololu.com/product/1336/resources</a>
> The biggest barrier to hacking is often the fear that you’ll break something while poking around. But you have to break eggs to make an omelet; likewise, you have to be willing to sacrifice devices to hack a system. Fortunately, acquiring multiple copies of a mass-produced piece of hardware is easy. I often do a bit of dumpster diving or check classified advertisements to get sample units for research purposes. I generally try to start with three copies: one to tear apart and never put back together, one to probe, and one to keep relatively pristine.<p>I love learning this kind of stuff through this site. In the world of reverse engineering or hacking stuff together, it feels like such a fumbly exercise that there just isn’t any discipline to it, but experts definitely learned some tricks and learning from them is such a treat. I’ll have to download that book and give it a read sometime soon.
I wonder if there are larger implications to reverse-engineering this. When I worked in retail in high school, I was told repeatedly that if a price was marked on a shelf, then there are laws that require the store to sell that item for that marked price. (IANAL so I don't know the nuances there, but it makes sense). If it becomes easy to change these displays with a new price wirelessly, that could be a really nasty problem for any stores using these displays.<p>Hopefully for the store's sake, there'd be some sort of public/private key system so that only the holder of the private key can distribute price changes wirelessly. I wouldn't bet money on that though.<p>(edit) - I see someone else posted the manual and that there's a per-site AES key. That's a good sign I guess.
Very well written article. I have been looking for some inspiration to get into hardware hacking and I think this article did it for me.<p>I find it interesting that in most writeups voltage injection is a popular appraoch to turning on debug mode. The aricle makes mention to other class of fault injection attack such as clock glitching or electromagnetic fault injection, but are there other approaches that I could look into, just out of curiousity?
It still somehow breaks my intuition that it’s cost-effective to have thousands of these deployed in each supermarket. I mean, I do understand it rationally, but it’s still weird.
I wonder what the motivation is the attempt to use the stock firmware and reverse engineer whatever communication and potential key signing the device has from the factory, versus just wiping the flash / desoldering and replacing with completely new firmware from scratch.<p>That would require completely tracing the PCB out to understand the display drive from the uC and other pin assignments, but... I find that much easier. And then the end result is the potential for a completely understood hardware & software configuration.
I might be missing something. I've seen other reverse engineering projects where they simply unsoldered the flash memory and read out the contents. Wasn't that an option?
I wonder how popular this tag must be/have been to be able to find someone that had already dissolved/sandpapered it? Can't wait for the follow-up on this, turn that e-waste into something usable!