Sunday, July 4, 2010

Cybaby: the software you can use to hack wireless presenters

I was going to make my code somewhat prettier before releasing it, but as many people where asking for it I decided to release the version I used for the demo. It's called Cybaby (because my hardware was being a crybaby and I'm too lazy to think of a better name).

Too build the hardware get yourself an Arduino (I tested with the Duemillanove and Mega) and a LETO-M module. Just connect the LETO-M to the SPI interface on the Arduino, but make sure to cut down the voltage to 3.3V (I used a voltage divider which seems to work OK, but there are other ways as well). The LETO-M pins have a 2mm pitch. I soldered a cable to a 2mm connector, but you can also buy pre-made cables.

You can find Cybaby here:

This version only supports sending packets. A sample session (using the serial console built into the Arduino software):
> it
Init on Arduino Duemillanove
CYRF TX init
> q
Scanning for devices

Scanning for SOP_CODE 0x0
Scanning for SOP_CODE 0x1
Scanning for SOP_CODE 0x2
Scanning for SOP_CODE 0x3
Found device on channel: 0x46
Scanning for SOP_CODE 0x4
Scanning for SOP_CODE 0x5
Scanning for SOP_CODE 0x6
Scanning for SOP_CODE 0x7
Scanning for SOP_CODE 0x8
Scanning for SOP_CODE 0x9
Scanning for SOP_CODE 0xA
Scan complete!
> a03
Setting SOP_CODE to 0x3
> c46
Set channel to 0x46
> e454b
Sending packet 45 4B... success!
> e4100
Sending packet 41 0... success!

As you can see it's not that user-friendly right now. The it command initialises the hardware, you can then use q to start scanning for devices. In this case it found my presenter (an R400 in this case) on SOP code 0x03 and channel 0x46. We have to set those to send packets to it using the a03 (setting the SOP code) and c46 (setting the channel) commands. Then we can send packets using the eXXXX command (in this case I sent a page-up to the dongle).

Three-byte packets can be sent using the fXXXXXX command. f451408 sends Win+R, which should open the Run menu.


mikenz said...

Thanks heaps for documenting the results of your investigation and publishing your code.

I've just taken apart an R400 (one of two) and connected an Arduino Mega (running at 3.3v) directly to the test points on the R400 hand held circuit board.

Your code works without modification. I was expecting to need to cut the track for the power to controller half of the CYRF69103 but so far that has not been necessary.

For your reference, the two presenters I have are on SOP_CODE 0x03 and 0x09.

By chance, did you work out what to send for mouse events?


- Mike

mikenz said...

Code to take the mouse of a little walk and click back where it started.

case 'm': // move mouse
// down 20, right 20
// down 20, right 20
// down 20, left 40
// up 60
// click left button
sendPacket(4,0x47,0,0,0x20); //left:0x20 middle:0x40 right:0x80
sendPacket(4,0x43,0,0,0); // releaes button

Niels Teusink said...

hi mike,

Nice to hear you're experimenting with this stuff as well!

I didn't spend a lot of time on the mouse stuff (I think I only did a right-click but didn't document it), nice you got it working :)