Noticed this person didn’t want people to access the code for fear of misuse. Thankfully, someone else has already made this for flipper zero before them and released the code!
<<
Does this even work:
I don't know. It's based on intel collected from other people. The Flipper sends data, I checked that with a second flipper. I've also heard rumors that it works in Australia. I'm sure it doesn't work in the US, as they use different frequencies.
>>
It would be kind of less interesting if they just figured it all for you and served it up on a silver platter don't you reckon? Where is your phreaking spirit at? :)
In the before computers times there was an ironically titled book called 'Steal This Book'.
Amongst a verity of other things it describes one of the funniest and most beautiful hacks I've ever heard of. I'm leaving this as a hint for others for fun or the rare cases that I know are on here that absolutely need to eat without money.
It requires one trusted accomplice and an all you can eat buffet. The rest is up to you to find out. It always works flawlessly and has for over half a century.
That book strongly reminds me of this review of "On the Road":
> On The Road seems to be a picture of a high-trust society. Drivers assume hitchhikers are trustworthy and will take them anywhere. Women assume men are trustworthy and will accept any promise. Employers assume workers are trustworthy and don’t bother with background checks. It’s pretty neat.
> But On The Road is, most importantly, a picture of a high-trust society collapsing. And it’s collapsing precisely because the book’s protagonists are going around defecting against everyone they meet at a hundred ten miles an hour.
Sorry I really bungled it up. Blame autocorrect and lack of coffee.
Meant to say Kerouac was a beatnik, Abbie was a yippie who inspired a generation of dirty hippies.
And we've sunk further still but I don't know that there is a lasting term yet. Maybe it will be NPC? I favor Quaranteenie (which makes less sense but sounds more fun, I mean by it a teenager who was locked up during their formative years and ended up a politically active mentally ill ignoramus)?
You gotta keep in mind that there is a sizeable portion of any hacker culture that doesn't want to (or can't) do any part of the actual hacking that gets things figured out, but instead just want to use what was figured out in ways not intended by the original purpose of whatever was hacked. One might say the script kiddies of the physical side of things.
There are way more cooks in the kitchen than chefs.
To put it a little nicer, there's many skills encompassed by the title "hacker". There is no such thing as a universal jack of all trades hacker. Some are better at software, some are more comfortable in hardware. The RF hackers have a whole bundle of sub specialties.
> around 858 microseconds (0.000858 seconds per symbol), which is a weird number, but maybe I’m slightly off or there’s some larger math I’m missing that makes this number satisfyingly round
1/858e-6 sec = 1165 Hz. They were likely trying for 1200 Hz, but the crystal was a bit off.
I want to know how when you see a stack of pager, each one knows its position in the stack so that when the stack decides to go into "attract" mode, it animates them one by one, like an elevator going up.
Somehow when they stack, they know where they are relative to the other pagers (at least something does).
If I recall, they have female port connectors on the bottom and little male prong connectors that mate with them on top. I assume that is mainly for power connection, so you can put a whole stack on a charger and charge them all simultaneously. But if they can sense a signal on the female pins then that's sufficient to enable the behavior you're describing without directly knowing the positions of each pager, right? Pager on the bottom sees a signal on its female pins, blinks its light, send the signal on its male pins, then the next pager above sees the signal on its female pins, blinks its light, sends the signal on its male pins, etc...
I think that is the whole trick - they look like they are all in parallel on four wires, but really two of the wires are daisy chained through each device (like serial LEDs). In this configuration you can do the light tricks without knowing the order, but you can also enumerate the order. I have seen addressing based on hop counting, or by appending your ID to "who are you" message.
Eg: Host sends "who are you" first device appends an ID number and then propagates the message forward in the chain. Each device does the same, until the last device in the chain (which detects electrically or via a timeout that there are no more devices) decides to loop the message back to the host.
Looking at photos on Google Images, it looks like the pagers in question have just two pins on the top, and two more mating pins on the bottom.
Obviously, that's for power delivery: They stack to charge.
But it seems like data must be sent (in one direction) through the stack at the same time that charging happens -- to set IDs, and to let attract mode work.
One way I can conceive of to allow this to happen is by reversing polarity: Send power with one polarity for a 0, and in the opposite polarity for a 1.
Once a pager has some data, it can pass it along to the one stacked above it by doing the same thing -- in a manner not dissimilar to how things like RGB LED strings do.
Charging can happen at the same time as this data is received (and potentially modified) and then retransmitted by using a bridge rectifier in each unit for the charging circuit, so that (as far as the battery bits can see) the polarity remains constant.
(This sounds complex and slow, but using things like diodes and MOSFETs is cheap at mass production PCB stuffing scales, and the data rate needn't be fast. It may even be cheaper to do it this way than a more complex assembly with dedicated data pins.)
Or you could have a fixed clock and sample based on that, so no having to deal with reverse polarity. This is the restaurant industry though, so assume they'll get wet and the the worst possible combination of pins get shorted, so design the circuit to be as tolerant of that as possible. Also consider the 4 pins getting into conductive fluid electrified with AC.
Perhaps. Can you elaborate on how your own idea works? I think I know what you mean, but I'd like for it to be explained.
My own idea implies a potential of ~100% charging duty cycle even as low-speed data is being transferred, and that's good because charging seems to be the primary goal here in this application.
(My other idea, that I have not yet espoused, involves a waveform on top of a fairly-constant charging voltage. It can perform asynchronously, and might even be just amplitude modulation. But it probably means more parts and complexity than my first idea involves: Functional analog filters always seem to take a handful of parts to get the it right, whereas my polarity-swap idea only uses a couple of high-tolerance jellybean MOSFETs and some parts-bin diodes.)
every 10 milliseconds (or whatever), the base goes high or low, and by having a clock on board that can count 10 milliseconds, the puck can sample the pin and read a high or low value, and then you specify patterns from there. You'd have to make it so it can be connected in the middle of a packet and ignore it and such, but those are solvable. (Technically you'd sample more frequently on the pucks due to Nyquist.)
Ooh, just AM off the power pin itself is another clever of doing it. All comes down to price and what's the cheapest to implement so you can drive the BoM on the puck's down as much as possible.
this is a great idea. you don't even need a bipolarity driver, just an h-bridge. though if you do have plus and minus rails plus ground, you only need two transistors
There are only two contacts between any device and the device below it, according to the photos. This trend continues upward for all subsequently-connected devices.
An interface with +, -, and ground implies three contacts.
i mean you connect one wire to ground and switch the other wire between - and + with two transistors, thus reversing polarity on it in a way that can be used to signal information while also efficiently transferring power (though only a quarter of the power you could transfer with an h-bridge across rails of the same voltage)
i think that to the receiving device it looks exactly the same as the h-bridge approach which i think was your initial version, unless it has some other path to ground, maybe a capacitive one. but if it does have such a path, it's probably useful for it to have such a genuine ground pin
LED strips have 3 pins (power, data, ground) but if you don't care about exact power levels maybe you can modulate power to send data.
Protocol-wise, WS2812B for LEDs works basically by having every LED along the way take the first X bytes, interpret as a command to themselves, and forward the rest -- and that's how you can address a 100 LEDs on one data line.
I honestly appreciate the decision to not release the code ("I’m not going to be publishing this code since I can’t think of a good use anyone would have for this besides folks using a low cost SDR and annoying local resturants"). All too often have I seen security researchers release fully weaponized attack tools that then promptly get used by attackers (and not the pranking kind of attackers either).
Could the attacker write it themselves? Probably. Will reducing the cost by providing ready-made code increase attacks? Almost certainly. I wish that more people would consider whether releasing the code will be a net benefit (by enabling legitimate research, education, proof-of-concept demonstrations of vulnerability) or harm (by enabling malicious attacks). Even if the underlying exploit/vuln/feature is the same, form matters: A ready-to-use attack toolkit with multi-client management capability is much more likely to be useful to attackers than defenders, where a simple proof of concept that is hardcoded to show a pre-defined message with no easy way to change that is much less likely to be reused maliciously.
And pranking a pager system sounds pretty harmless, until you realize that a restaurant is likely quite strongly relying on it and essentially DoS'ing it has the potential to affect their business.
Restaurants used to just give you a number and they'd have a light-up display of the number(s) ready to be seated. Fairly immune to hacking but does require the customer to stay in visual range of the display and remember to keep an eye on it.
Or they would take reservations in advance, but almost none do that anymore.
The keyword is "used to". They no longer have it, so they can't fall back to it.
Of course they could, and would, go back to shouting numbers, but there's a reason they introduced a pager system. It'd likely slow them down, and with the razor thin margins many restaurants operate at, even a small impact on their revenue could be problematic.
Noticed this person didn’t want people to access the code for fear of misuse. Thankfully, someone else has already made this for flipper zero before them and released the code!
https://github.com/leedave/flipper-zero-meal-pager
<< Does this even work: I don't know. It's based on intel collected from other people. The Flipper sends data, I checked that with a second flipper. I've also heard rumors that it works in Australia. I'm sure it doesn't work in the US, as they use different frequencies. >>
I mean, that's helpful, but....
It would be kind of less interesting if they just figured it all for you and served it up on a silver platter don't you reckon? Where is your phreaking spirit at? :)
In the before computers times there was an ironically titled book called 'Steal This Book'.
Amongst a verity of other things it describes one of the funniest and most beautiful hacks I've ever heard of. I'm leaving this as a hint for others for fun or the rare cases that I know are on here that absolutely need to eat without money.
It requires one trusted accomplice and an all you can eat buffet. The rest is up to you to find out. It always works flawlessly and has for over half a century.
That book strongly reminds me of this review of "On the Road":
> On The Road seems to be a picture of a high-trust society. Drivers assume hitchhikers are trustworthy and will take them anywhere. Women assume men are trustworthy and will accept any promise. Employers assume workers are trustworthy and don’t bother with background checks. It’s pretty neat.
> But On The Road is, most importantly, a picture of a high-trust society collapsing. And it’s collapsing precisely because the book’s protagonists are going around defecting against everyone they meet at a hundred ten miles an hour.
Well observed. The very ending of On The Road itself addresses this if you read carefully, Kerouac did not lack in self awareness.
But then again he was a yuppie not a hippie trying to levitate the pentagon so that all the evil spirits fall out. ;)
And here we are where we are eh?
Kerouac aside, wasn't it the yippies (not yuppies) that were doing the Pentagon performance?
ISTR yuppies were years after the Youth International Party (and quite different).
Anyone?
Sorry I really bungled it up. Blame autocorrect and lack of coffee.
Meant to say Kerouac was a beatnik, Abbie was a yippie who inspired a generation of dirty hippies.
And we've sunk further still but I don't know that there is a lasting term yet. Maybe it will be NPC? I favor Quaranteenie (which makes less sense but sounds more fun, I mean by it a teenager who was locked up during their formative years and ended up a politically active mentally ill ignoramus)?
> Where is your phreaking spirit at?
You gotta keep in mind that there is a sizeable portion of any hacker culture that doesn't want to (or can't) do any part of the actual hacking that gets things figured out, but instead just want to use what was figured out in ways not intended by the original purpose of whatever was hacked. One might say the script kiddies of the physical side of things.
There are way more cooks in the kitchen than chefs.
To put it a little nicer, there's many skills encompassed by the title "hacker". There is no such thing as a universal jack of all trades hacker. Some are better at software, some are more comfortable in hardware. The RF hackers have a whole bundle of sub specialties.
> around 858 microseconds (0.000858 seconds per symbol), which is a weird number, but maybe I’m slightly off or there’s some larger math I’m missing that makes this number satisfyingly round
1/858e-6 sec = 1165 Hz. They were likely trying for 1200 Hz, but the crystal was a bit off.
1200 baud is a standard baud rate and I think 3% is within tolerance. probably not a crystal though or it would be much closer
I want to know how when you see a stack of pager, each one knows its position in the stack so that when the stack decides to go into "attract" mode, it animates them one by one, like an elevator going up.
Somehow when they stack, they know where they are relative to the other pagers (at least something does).
If I recall, they have female port connectors on the bottom and little male prong connectors that mate with them on top. I assume that is mainly for power connection, so you can put a whole stack on a charger and charge them all simultaneously. But if they can sense a signal on the female pins then that's sufficient to enable the behavior you're describing without directly knowing the positions of each pager, right? Pager on the bottom sees a signal on its female pins, blinks its light, send the signal on its male pins, then the next pager above sees the signal on its female pins, blinks its light, sends the signal on its male pins, etc...
I think that is the whole trick - they look like they are all in parallel on four wires, but really two of the wires are daisy chained through each device (like serial LEDs). In this configuration you can do the light tricks without knowing the order, but you can also enumerate the order. I have seen addressing based on hop counting, or by appending your ID to "who are you" message.
Eg: Host sends "who are you" first device appends an ID number and then propagates the message forward in the chain. Each device does the same, until the last device in the chain (which detects electrically or via a timeout that there are no more devices) decides to loop the message back to the host.
Looking at photos on Google Images, it looks like the pagers in question have just two pins on the top, and two more mating pins on the bottom.
Obviously, that's for power delivery: They stack to charge.
But it seems like data must be sent (in one direction) through the stack at the same time that charging happens -- to set IDs, and to let attract mode work.
One way I can conceive of to allow this to happen is by reversing polarity: Send power with one polarity for a 0, and in the opposite polarity for a 1.
Once a pager has some data, it can pass it along to the one stacked above it by doing the same thing -- in a manner not dissimilar to how things like RGB LED strings do.
Charging can happen at the same time as this data is received (and potentially modified) and then retransmitted by using a bridge rectifier in each unit for the charging circuit, so that (as far as the battery bits can see) the polarity remains constant.
(This sounds complex and slow, but using things like diodes and MOSFETs is cheap at mass production PCB stuffing scales, and the data rate needn't be fast. It may even be cheaper to do it this way than a more complex assembly with dedicated data pins.)
Or you could have a fixed clock and sample based on that, so no having to deal with reverse polarity. This is the restaurant industry though, so assume they'll get wet and the the worst possible combination of pins get shorted, so design the circuit to be as tolerant of that as possible. Also consider the 4 pins getting into conductive fluid electrified with AC.
Perhaps. Can you elaborate on how your own idea works? I think I know what you mean, but I'd like for it to be explained.
My own idea implies a potential of ~100% charging duty cycle even as low-speed data is being transferred, and that's good because charging seems to be the primary goal here in this application.
(My other idea, that I have not yet espoused, involves a waveform on top of a fairly-constant charging voltage. It can perform asynchronously, and might even be just amplitude modulation. But it probably means more parts and complexity than my first idea involves: Functional analog filters always seem to take a handful of parts to get the it right, whereas my polarity-swap idea only uses a couple of high-tolerance jellybean MOSFETs and some parts-bin diodes.)
every 10 milliseconds (or whatever), the base goes high or low, and by having a clock on board that can count 10 milliseconds, the puck can sample the pin and read a high or low value, and then you specify patterns from there. You'd have to make it so it can be connected in the middle of a packet and ignore it and such, but those are solvable. (Technically you'd sample more frequently on the pucks due to Nyquist.)
Ooh, just AM off the power pin itself is another clever of doing it. All comes down to price and what's the cheapest to implement so you can drive the BoM on the puck's down as much as possible.
this is a great idea. you don't even need a bipolarity driver, just an h-bridge. though if you do have plus and minus rails plus ground, you only need two transistors
How do you mean?
There are only two contacts between any device and the device below it, according to the photos. This trend continues upward for all subsequently-connected devices.
An interface with +, -, and ground implies three contacts.
i mean you connect one wire to ground and switch the other wire between - and + with two transistors, thus reversing polarity on it in a way that can be used to signal information while also efficiently transferring power (though only a quarter of the power you could transfer with an h-bridge across rails of the same voltage)
basically rs232 signaling with just tx and ground
I like it. That's related to, but more elegant than, my off-the-cuff idea was.
i think that to the receiving device it looks exactly the same as the h-bridge approach which i think was your initial version, unless it has some other path to ground, maybe a capacitive one. but if it does have such a path, it's probably useful for it to have such a genuine ground pin
LED strips have 3 pins (power, data, ground) but if you don't care about exact power levels maybe you can modulate power to send data.
Protocol-wise, WS2812B for LEDs works basically by having every LED along the way take the first X bytes, interpret as a command to themselves, and forward the rest -- and that's how you can address a 100 LEDs on one data line.
I honestly appreciate the decision to not release the code ("I’m not going to be publishing this code since I can’t think of a good use anyone would have for this besides folks using a low cost SDR and annoying local resturants"). All too often have I seen security researchers release fully weaponized attack tools that then promptly get used by attackers (and not the pranking kind of attackers either).
Could the attacker write it themselves? Probably. Will reducing the cost by providing ready-made code increase attacks? Almost certainly. I wish that more people would consider whether releasing the code will be a net benefit (by enabling legitimate research, education, proof-of-concept demonstrations of vulnerability) or harm (by enabling malicious attacks). Even if the underlying exploit/vuln/feature is the same, form matters: A ready-to-use attack toolkit with multi-client management capability is much more likely to be useful to attackers than defenders, where a simple proof of concept that is hardcoded to show a pre-defined message with no easy way to change that is much less likely to be reused maliciously.
And pranking a pager system sounds pretty harmless, until you realize that a restaurant is likely quite strongly relying on it and essentially DoS'ing it has the potential to affect their business.
Restaurants used to just give you a number and they'd have a light-up display of the number(s) ready to be seated. Fairly immune to hacking but does require the customer to stay in visual range of the display and remember to keep an eye on it.
Or they would take reservations in advance, but almost none do that anymore.
The keyword is "used to". They no longer have it, so they can't fall back to it.
Of course they could, and would, go back to shouting numbers, but there's a reason they introduced a pager system. It'd likely slow them down, and with the razor thin margins many restaurants operate at, even a small impact on their revenue could be problematic.
Looking at the system for sale [1] now, the lack of security seems to be one of their selling points:
>Multiple keyboards call the same pager. The pager system long range supports multiple keyboard call the same restaurant pagers.
As an aside, all the church nursery references stand out to me. Are pager systems common for that and am I just out of touch?
[1] https://www.amazon.com/Retekess-Restaurant-Adjustable-Remind...
It's a silent way of notifying the parent their attention is needed when they are in the pews.
Hi, I’m the author of this: https://github.com/meoker/pagger
very fun article. What is a PHY?