Reverse engineering the PixMob wristband protocol
The idea behind the PixMob bracelet is simple: during a concert, the organizers distribute them to the spectators, and during the show, infrared projectors are used to transmit commands so that they all light up in such a way synchronized. Sometimes attendees were allowed to take these wristbands home after the event, and a few hackers attempted to reuse them.
The protocol is proprietary, however, and we've yet to see anyone re-use these wristbands without tearing them or reflashing the microcontroller. [Dani Weidman] tells us how, together with [Zach Resmer], they laid the groundwork for reverse-engineering the protocol of these wristbands.
Our pair of hackers began by obtaining a number of recordings from a helpful stranger online, and continued to replay those IR recordings on their wristbands. Most of them caused no reaction - presumably being configuration packages, but three of them caused the wristbands to flash in different colors. They translated these recordings into binary packets, and Dani went through different possible combinations, tweaking bits here and there, transmitting the packets and seeing which were accepted as valid. In the end, they had about 100 valid packets and even figured out some protocol quirks like color animation bytes and motion-sensitivity mode enable packets.
The GitHub repository has decent documentation and even a video, sample code you can run on an Arduino with an IR emitter, and even some packets you can send with a Pinball Zero. If you want to learn more about the internals of this device, check out the teardown we featured in 2019.
The idea behind the PixMob bracelet is simple: during a concert, the organizers distribute them to the spectators, and during the show, infrared projectors are used to transmit commands so that they all light up in such a way synchronized. Sometimes attendees were allowed to take these wristbands home after the event, and a few hackers attempted to reuse them.
The protocol is proprietary, however, and we've yet to see anyone re-use these wristbands without tearing them or reflashing the microcontroller. [Dani Weidman] tells us how, together with [Zach Resmer], they laid the groundwork for reverse-engineering the protocol of these wristbands.
Our pair of hackers began by obtaining a number of recordings from a helpful stranger online, and continued to replay those IR recordings on their wristbands. Most of them caused no reaction - presumably being configuration packages, but three of them caused the wristbands to flash in different colors. They translated these recordings into binary packets, and Dani went through different possible combinations, tweaking bits here and there, transmitting the packets and seeing which were accepted as valid. In the end, they had about 100 valid packets and even figured out some protocol quirks like color animation bytes and motion-sensitivity mode enable packets.
The GitHub repository has decent documentation and even a video, sample code you can run on an Arduino with an IR emitter, and even some packets you can send with a Pinball Zero. If you want to learn more about the internals of this device, check out the teardown we featured in 2019.
What's Your Reaction?
