This week, Reza Hussein published his awesome research into
hacking the TouchTunes jukebox remote. (UPDATE: Reza has been asked to take it down.) This is a project I’ve worked on for way too long and in some ways feel relieved that someone could do what I failed complete. What’s pretty funny to note is that Reza and I both attended Defcon and have been hacking on this for a while. I presented at Skytalks on the subject at this last Defcon 20 although my talk was split between the mobile app and the remote. It’s also funny that our tools are so similar. Salae Logic Analyzer, Arduino PoC, DigiKey to source the parts. We even like similar coffee tables.
So, I’ve decided to stop being a pussy and publish everything since it really doesn’t matter any more and you mind as well look at Reza research. You can find the information related to the mobile app here (which I’ve already disclosed to the vendor and they’ve since updated) and the details about the remote here. I’ve included a part of my code for the mobile app which no one has seen before although I’ve taken out the dangerous bits. Sorry. It’s very easy to figure out where to fill in the blanks if you actually care. I’ve also included all the screenshots I have of the remote.
This project started a long time ago when I wanted to get some practice on mobile apps and a bartender friend of mine showed me the new mobile app that hooked into his jukebox. The TouchTunes jukebox was a fun target since it seemed like some VP at the company said “We should have a mobile app!” and a developer went “Oh shit!”
I got bored of this and look for other attack vectors like the remote. This was pretty interesting because it was an RF remote unlike other juke boxes that are IR. This gave me an opportunity to get into some RF hacking and hardware hacking. The problem with this was that it was a _lot_ of fun to get into this and I don’t want to think about how many hours were spent on it. I didn’ t know anything about radio or reversing circuits so everything was new and shiny to me. Intrepidus Group has this annual meeting every year in Cancun where they like to do a friendly “Hack of the Year” competition. It’s a hilarious time to present projects you’ve been working on so even though it was in kind of a rough state, I submitted this. At this point I was able to do most of the mobile hacks and a little bit of the remote stuff. At least enough to show that I was using a HAM radio rig to try and play the signals.
Fast forward to Kyle Kretes hitting me up for a presentation for his BSides in Detroit. I thought the TouchTunes stuff was pretty entertaining to present especially when I added in my favorite song to play on jukeboxes. So a friend of mine and I go to Detroit and @SecJames fuels my presentation with 8am Tequela. All goes well.
A few months later, @rossja godes me into submitting my presentation into Defcon Skytalks which I do mostly because I expect to be filtered out. I surprisingly get selected and bring in @JustBill to help me since he has a background in all things related to radio. Arriving to Vegas and getting a Skytalk badge, we find that the bade made by PyroDon opperates on 434MHz, basically the exact same as the remotes. So we furiously hack on these badges to turn them into, what we called a, “Juke-Box-B-Dong” – an ode to the 303 organizers. We didn’t have the tools necessary to get into it but we did make code that would theoretically work once we were able to flash it onto the PIC.
Four months from Defcon, six from BSides Detroit, 11 months from the Intrepidus Group annual meeting, and a long ass time since I started poking at the project, I’ve put the project down and Reza published his research that goes the next mile into creating a tool that will give you free credits, brute force the remote control PIN, and all in a tiny size. It’s perfect except I would have added a volume down option as well. :) I’m still hoping to learn how to program that PIC for the Juke-Box-B-Dong as it would be a cool feature to give to my 303 friends. Other research priorities at the moment though.