Monday, 8 December 2014

The revenge of the Super Animal cards

Since my last post:

  1. I've continued tinkering with this a bit.
  2. Woolworths announced this weekend an extra 72-card Christmas themed set, as a special gift too all parents out there who weren't already at their limit because of the first 108 cards that their children "must have".
So it turns out that at least 72 of my generated cards are from this new set. But which ones? What about the rest of the IDs - do they trigger a sound?

Earlier in the week I managed to get a hold of a card reader and took it apart to have a look it how it works.

 The card slot contains an infrared (IR) LED and sensor.

The card reader strip with IR LED and sensor

The LED is turned on by a simple switch when the user starts pulling the card through the slot. As the card continues to pass through, infrared light is reflected off the white parts of the card, but not the black parts and since the plastic behind the card is also white, the only non-reflected portions are the barcode. The micro controller (Mactronix 25L1605D) inside the device receives this information from the IR sensor and interprets the lack of reflections as the barcode.

UPDATE: In my rush to get things done I didn't bother to read the spec sheet. U1 is actually just the flash chip. The big black dot on the board is the micro. This process is called chip-on-board.

I might have to mess with this later...

My boss pointed out that this would be easy to spoof programmatically with an Arduino. Since I already had a couple of boards lying around I started on a simple sketch based on the basic blinking LED example provided by the Arduino team.

Humans can't see infrared light. Most digital cameras (such as the one in your phone) are able to detect the infrared light, so you can use a camera to view it, but I decided it would be easier to just do my development with a regular LED and switch over to and infrared LED later on. Conveniently the Arduino board I decided to use has a LED on the board connected to pin 13.

You can find the code here.

After making sure the lights blinked nicely at a speed that felt similar to swiping a card through the reader, I wired up my bread board. I was a bit lazy laying out the circuit and just chose a 330 Ohm resister I had handy to protect the LED. There's heaps of tutorials on the net about using Ohms law to calculate the resistor value correctly, but...well, I'm pretty lazy and was doing most of this in the 20 min before bed so I pretty much couldn't be bothered.

For the IR LED, I pulled the transmitting part out of a QRD1114 I had lying around.

The program that I uploaded to the Arduino cycles through all ID values starting at 1 and working through to 1023. I found that if I held the card reader's IR sensor over the LED and messed around triggering the switch, I would eventually trigger it at the right time to scan for the barcode and it would play the sound.

So my proof of concept worked. However, in order to improve things, I'd needed a way to trigger the switch programmatically as well - and despite all of the components I've collected over the years I don't own a relay. Time for a trip to Jaycar.

I swung by before work and picked up 2 TRR1A05D00 5 Volt reed relays (always good to have a spare). Wiring these up is pretty easy. I connected PIN 2 on the relay to one of the Arduino digital outputs. I connected PIN 6 of the relay to ground. PINS 14 and 8 get connected to each side of the open switch on the animal card reader.

The whole circuit precariously resting and held together with duct tape

I modified my Arduino sketch to trigger the relay before the barcode is simulated using the IR LED. I messed around with the timing a bit until I managed to get a sound out of the reader. At this point my program was cycling from 181 through to 1023. A few random animal noises later, I finally hear what I've been waiting for:

"Better luck next time"

In an American female voice. Success! There is an Easter egg! ID 191 is the Easter egg.

There appear to be additional animals from 181 through to 190 - so maybe there'll be another "special edition" card extension sometime soon.

In the meantime, I look forward to showing my nice what I've found when I see her this week :)

UPDATE: As I was writing this post, I left the program running on the Arduino. A good chunk of the way through I heard a beep and what sounded like a camera shutter sound. I guess I'll have to do a more thorough check at a later date.

Tuesday, 2 December 2014

Super Reverse Engineering Animal Cards

I spent the afternoon last Sunday reverse engineering the barcodes on these after helping my niece and nephew sort through the horde of them my partner and I had collected from Woolworths.

There are 108 cards in the set and each one has a unique bar code on the back. You can buy a sound card reader accessory that reads the barcode as it is swiped and plays an audio file for the specific animal on the card.

From initial inspection of a few of the cards, I worked out that there were 13 bits in the code and the top (as in top of the card - the last three to pass through the reader) 3 bits were the same for a bunch of the cards. There were only ever two combinations of these bits - 0b101 and 0b011. The remaining 10 bits are used for the ID of the card. Card number 1 is 0b0000000001, card number 2 is 0b0000000010 and so on.

I immediately realised there were way more bits than required for the 108 cards in the set and wondered if they were mapped to anything. I recently listened to an Embedded Podcast where Elecia White interviewed Jeri Ellsworth. They spoke about putting Easter eggs in their embedded product and this made me wonder if the developers of the Super Animals card reader toy decided to do the same thing.

So I explained to my 10 year old niece what I was thinking. She was initially skeptical, but we decided to have a go making a paper barcode with the next number in the series. Since I didn't know what the top 3 bits were, we just copied them from one off the other cards and encoded 109 in the 10 ID bits. I explained that binary encoding was similar to the 1's, 10's 100's columns of decimal numbers that they learn in school, except that there were only possible values in each column - 0 and 1 instead of 0 to 9 like in the decimal system. 

We swiped the hand drawn card through the reader. It didn't work.

At this point my niece wasn't overly impressed, but unperturbed I suggested that we try one of the cards in the set that they were missing. We chose card number 18 in the series. I went through the same procedure (using the same top 3 bits), this time encoding 18 in binary instead of the 109 we had just tried.

Success! Chirping bird noises! We checked the list of cards and indeed number 18 is a bird.

So now my niece was convinced I wasn't just making things up, but we had run out of time. I had to go home, but those last three bits continued to bother me so I kept working on the problem there.

I messed around with some 3 bit CRC calculations before I realised that there was no way I could only ever get only 2 combinations like on the cards. I stopped thinking about the 3 bits as a single checksum and saw that the last bit was probably a stop bit, which would make sense for a swipe barcode reader.

I had earlier decided that even or odd parity didn't make sense as I had three bits to deal with, not one. However after a bit more messing around, it finally dawned on me that the other two bits were probably even and odd parity since one was always the inverse of the other.

I had taken photos of all of the cards, so to confirm the parity theory, I used these to make a table of card IDs and 3 bit values. I wrote a quick C++ program to spit out a similar list and diffed the files. Perfect match.

Armed with the ability to generate my own barcodes, I decided to write a Qt program to render these to pdf so that I could print them out and go hunting for Easter eggs (or at the very least, some extra animal noises). 

A couple of days later I managed to get a hold of my own card reader toy, print the cards 109-117 and give it a shot. All of the cards worked. Now I just had to work out if they were duplicates or a completely different set of audio tracks.

To be continued...maybe.

(You can download the pdf for all 1023 barcodes here)