DEF CON 31 - Warshopping- Phreaking Smart Shopping Cart Wheels Through RF Sniffing - Joseph Gabay
ฝัง
- เผยแพร่เมื่อ 4 ต.ค. 2024
- Smart shopping cart wheels are electronic wheels with a mechanical braking mechanism meant to prevent cart removal or shoplifting, as well as electronics to provide other tracking functions. In a past talk, I’ve discussed the ultra-low-frequency communication these systems use and how to sniff and replay them (and even use your phone’s speaker to “phreak” your shopping cart!
This talk explores a new type of smart wheel (the Rocateq system), and focuses on a deeper exploration of the hardware and firmware. On top of capturing new sets of ultra-low-frequency control signals, we’ll look at the 2.4 GHz “checkout” signal that it receives from the register and reverse engineer the PCB - soldering on “fly-wires” to look at the chip-to-chip communication with a logic analyzer. We’ll also use a PICKIT programmer to dump the firmware from the main microcontroller for basic analysis using Ghidra.
In addition to the talk, the website where you can play the control signals as audio files on your phone will be updated to include the control codes for the Rocateq brand wheels.
If this isn't in a SonicScrewdriver by Christmas, then we have failed as a community.
I am the Doc 🤣🤣. Love the Episode, where both pull out their screwdriver to show off
Put in a Flipper as well, presto. Universal meddling tool.
What really surprises me is they don't have a tiny generator on the wheel providing power.
Great talk. Would listen for another 38 mins to you talking excitedly about shopping carts.
that one wonky wheel wrapped in hair, not spinning, begging to be charged xD
@@redusercolor So you mean it might encourage supermarkets to fix their broken-ass trolleys? Mission accomplished.
Besides, if the wheel don't turn, the brake used in these things isn't going to work either.
you can sell more of them if they have a limited battery life.
Just higher cost and more to go wrong, I bet the integrated battery will last. Minimum 10 years
That plus a supercapacitor would be an interesting way to keep it charged and to detect that its moving without an accelerometer
Security in these: It is just adequate for the purpose. All who are engaged in those petty crimes, why these smart wheels were introduced in the first place, aren't the ones capable to go through even such simple system. Someone capable to hack through it, those do not get involved in those shoplifting activities in the first place.
Having everything super secured disregarding the purpose is just plain stupid. It ends up into system where the "security" features and their consequences cause way more expenses in normal business disruptions than the damage it is supposed to prevent. Don't forget you can just hold the cart corner off ground a bit and there is nothing the wheel locking can do about it.
You don't know that, I could be involved in petty shoplifting on my spare time.
Why do you want shopping carts so badly?
@@lawnmowerdude Free hardware.
Usually if you move fast enough, the wheel doesn't lock when crossing the wire.
Learned that from 9 year olds who were jousting in Walmart shopping carts, and dinging up cars in the neighborhood.
Bored kids, isn't that most defcon attendees?
@PaulDriverPlus And yet you're watching it
It's really great to see the amish embracing technology
The unpopulated footprint (labeled "N100A") is likely for a different package version of the populated part labeled "N100B"
Ahhh something for the purists. This was a great example of reversing from scratch. Nice work
What was that other group - not empaths, um, I'm trying to think of the word ...
Oh - the word I wanted was 'pedants', as in pedantics ...
That unpopulated chip is probably just the pinout for an alternative wake-up chip since the signals are routed to both footprints.
They will just use whatever was cheapest at the market that night
I bet that, like many companies, they had to redesign their PCB during the parts shortage and allow for as many alternatives as possible
@@antonliakhovitch8306 Doesn't even matter about the recent silicon shortages. You'll find pads underneath NAND chips have multiple pads in case the assembly line switches to the smaller package version of the same chip half way through production. Most notable case that comes to mind is the Gen III remakes of the Pokemon games; the PCBs for the game cards have pads for two sizes of chip for the save data. It's not abnormal for something containing a general purpose micro controller, NAND or EPROM to have multiple pads for the same thing, sometimes there's even multiple through-hole mounts for capacitors, like in the Xbox's 1.6 revision board for the RTC capacitor.
This is the kinda fundamental research into esoteric things that makes hacking fun.
I wonder if you could create an EM pulse or tone strong enough to trigger all of the shopping carts in the store to lock up. The 8KHz would probably need to be a harmonic of a higher frequency carrier in order to transmit far enough. The technical challenge would be interesting, although actually using it would be a dick move.
but it would be cool
This was my first thought as well. Walk around the store broadcasting the signal to lock all the carts up.
Hint: Think Navy sub transmitter, one of those located upstate wherever that xmits at near those freqs ...
You could build a short range transmitter into your shoe, with some sort of surreptitious activation method. Thus, if someone makes you mad or does something untoward, you can make a show of kicking the cart and setting off the alarm.
It would be a very funny prank. Another one is somehow finding a way to open every garage door in a neighborhood at the same time. Just cause as much havoc as possible
Some shopping carts can be appropriated by wheeling it backwards after wheels lock up.
Yes, had to do this when the cart locked up at the door. Was not about to lug a full cart of bags back and forth to the car. When I realized it rolled backwards, I just turned the cart around and pushed it from the front.
I'm pretty certain there is absolutely nothing 2.4Ghz on that PCB at all.
That loop trace is probably something entirely different. My suspicion is that it will interact with those anti theft gates in stores to trigger the alarm when it crosses a gate in locked mode.
Probably just an optional not enabled feature on this board.
If u listen carfuly to some of the things he said he definatly is a shit electrical engineer
so you're saying it might be fraudulent advertising?
you're correct they can be set to 2.4Ghz or 5Ghz bands to communicate with anti-theft systems in-store
The 2.4 GHz stuff is around the unpopulated module footprint labeled Y2 and Y2 also appears to feed the perimeter antenna trace directly. It appears to be a transmit only continuous wave signal and it appears to be powered by the PIC's TX line which in convenient. You'll notice the PCB is missing ground plane in that area. I would put money on it being an option to transmit to the security system.
@@Peter_S_ re: " It appears to be a transmit only continuous wave signal and it appears to be powered by the PIC's TX line which in convenient."
Plot twist: Its a feature used for DFing. for tracking down errant carts that have 'left the premises'.
I can't stop thinking that this device is a wheel surrounded by electronics that the public literally pushes around a store all day every day.... why does the battery ever die for any reason except planned obsolescence?
You could definitely extend the life of the device with a kinetic charger, sure. That would, however, drive up hardware costs.
@@pinaz993Not by much though, since a kinetic charger would also detect motion, so you no longer need an accelerometer, you can put less effort into saving power if you now have a charger, and you could probably use a smaller battery too.
Im not a very technical person but a wireless charging strip underneath the wheels where the carts are stored would be possible aswell
@@jesperdenbraven1995That would be a lot more expensive than putting some magnets on the wheel, due to the extra infrastructure requirement.
@@user2C47 there's already corrals for them. it's a simple rail and plug.
Inaudible [00:10:00] is "OSINT" as in open source intelligence
Inaudible [00:12:10] is "eschewed"
CoInCiDEnCe??
This reminds me of my dad if he was born in these days
10 years ago he brings home one of those shopping cart token securing mechanisms; he wanted to know how it works and in his words “a tamper-proof screws can’t stop you if you have a tamper-proof screwdriver”
Re: Not asking where he gets things, I'm the same with my dad
He has a system called a DTL - Don't tell lyn (i.e. my mum)
Adding CEW to my black Friday shopping tactics
...isn't that the coin sound from Mario?
"like looking at footprints and trying to figure out what someone had for lunch" - you can tell by the spacing, and how much farther apart each step is on the way to the bathroom!
hilarious, the tone when they confirm you've given them money does sound just like the mario coin sound! 19:30
It helps when the footprints are in front of a hotdog stand!
Yup it is, and it also uses 2 transmitters around 2.45GHz to induce a beat frequency in the audio frequency range that tells it level up, you can go to the parking lot 😅
When you do an overlay, it may be easier if it’s more complex to change the chroma channel in Photoshop and add false color so you know which is on the back side. You could do that in a couple of steps as well so that the Soder lines connecting them are actually a different color as well, so it really can get intoclear understanding of the connections.
I would think a 'blink comparator' would work well too. I use those for looking at RADAR Reflectivity data and Doppler Date alternatively.
2.4 GHz is "line of sight" - They might have had the 2.4GHz stuff and found that the radio reception wasn't good enough for some of their stores so they pulled it out.
The 2.4 GHz stuff appears to be an optional transmit only module on the PCB marked Y2. It's likely an extra beacon signal to the alarm system to tell it a wheel has just locked. You don't get to change the design after certification, but you can omit a tested feature and achieve a second certification in a different configuration at a greatly reduced cost.
I don’t think I’ve ever seen carts that lock in the store. All the stores that use them around where I live just lock the wheels at the perimeter of the parking lot, presumably to keep (usually, homeless) people from stealing the carts.
I've gone into a store to buy ice and didn't go through the checkout, just parked the cart next to the ice case and walked over to the checkout. Going back out the wheels locked up at the door and set off the store's theft alarm. Everyone's looking at me like I'm trying to steal a cart full of ice.
The carts didn't have that label that was shown in the video that warns you to go through the checkout, it looks like they just retrofitted the wheels without any kind of signage.
I've heard the alarms go off in Kroger when a shopper exited ... prolly connected with not going thru a checkout line.
For some reason I was always under the impression that the carts worked on a transmitter system to _remain_ unlocked, and the yellow line was the "range limit" of the in-store transmitter... in spite of how silly in retrospect that entire premise is (how do you even have a straight-edge "end point" to an antenna transmission? even cell towers don't technically transmit "hexagonally", it's just abstracted that way for which of multiple towers has the _highest_ Tx/Rx at a given point on the map and thus is the one you connect to)...
Far to easy to miss a signal, especially in a busy environment and with everyone using cellphones, wifi, etc. It would also drain a battery very quickly. Nobody wants to be charging 100 batteries even once a year. I'm curious as to why they didn't build some crude low power generator into it. I have a Seiko kinetic electric watch that can be charged pretty quickly by wearing it only occasionally.
I don’t know why I got recommended this video, but it was really interesting!
that's why :?)
I wonder how many times the wheels could lock and unlock before the battery drained. We could use something that does that at our price gouging supermarkets in Canada.
Drills or something similar can be fast and relatively quiet. Fix your untied shoe for a moment next to it. Just don't hit the battery. That could be a bit fiery.
I think I would try to find a way to power it with induction power. Since people are pushing the cart anyway. That way you have infinite battery and much more leeway in terms of computationally expensive features. Or is my idea completely stupid? I would expect this would make it quite a bit more expensive, but you can track which isles the cart stood still. Correlating that with the items actually sold should tell you which items were _almost_ bought, which is probably the most interesting category.
Not stupid, just sliiiiightly more expensive and it seems like the manufacturer was just trying to make the cheapest shit possible
Must resist the urge to go lock all the shopping carts :D
Nice talk! 👌🏾
"Says the do . . . says they doesn't." Loved that!
Shouldn't a super/normal cap and small motor as generator be a cost effective replacement for the battery? Extended life and more avaliable power seems good for everyone.
Moving parts and higher BOM cost.
It would be less reliable and more expensive. Unfortunately
@@TilmanBaumann magnets in the wheel and a coil can negate any more moving parts. But that is even more expensive.
I don't know their current lifespan, but a dynamo charging should the limiting factor of life be capacitor life. But then no one would buy new stuff so yeah. Corporate stupidity and e-waste will prevail.
The 2.4 may be a beacon function for tracking the carts using access points.
Judging by the PCB, it's something which sends only continuous wave information so iI would guess the 2.4 GHz is an option to link with a security system when a cart locks.
You don't need a 3.5mm earphone jack to use a mic and earphone. Any miniUSB, microUSB, or USB-C socket supports headsets. For $10 you can buy an adapter to do this. Thank the folks at Palm for figuring out to use dropping resistors to signal that. Their Treo phones all did this by sensing the impedance of wbatever was plugged in.
it depends on if the device using that connector even has that ability, hardware wise.. more consistent method is a little cheap af usb soundcard that can use otg mode if mini/microusb, usb-c, just has to show as a usb device to the pinmapping..
what a great public speaker
I would have added a small generator coil and magnet to add a bit of charge back to the power system (super cap maybe) as the wheel rotates
But then they last forever!! Silly u ;]
seems like the easiest solution would be to jam the freqs
this whole product is just meant to save the store money and it probably does it's job.
20:58 This. When people criticize us at work for having windows XP embedded running on equipment that cost tens of thousands of dollars to replace.
Especially true if the equipment isn't networked. It will work exactly the same today under XP as it did 20 years ago.
I'm seriously jealous of that domain name
Great writeup!
I'd seen something about these carts years ago, but had forgotten they exist...no one is using them in my area, probably because not too many people are stealing the carts from stores that are a long way from where they live. I think one of the murder mystery shows I've enjoyed had a story where someone is found dead in one of these carts, and how it managed to be removed from the store was a large part of the plot.
My store still uses them but they seem to be poorly made because they can go off randomly in the store, and you just have to push a little harder to unjam it.
im so glad you have no idea how our products work - an employee
Having a speaker squawking at 8KHz would be annoying - and unnecessary. All that is necessary is the voice coil - or really any coil of the more-or-less correct impedance to act as an antenna. 😉
That logic analyzer is about twice as expensive as an SDR (hackRF)!
I wonder if this is how Menards can lock the wheels of your cart on the motorized ramps between floors some of their stores have. I didn’t realize it was possible for an embedded loop to unlock the wheels as well.
I've never bee to Menards, so no clue if they do it this way: The wheels on the cart are not uniformly flat, but roll on two outer wheels and the middle part is fixed. When you roll on the ramp, the outer wheels fall into grooves and the inner fixed part makes contact and locks it in place.
That would likely require a different design, as the frequency of operation would require some sort of generator to keep the battery charged, and likely a motor mechanism less prone to wear.
I think I understand what you are talking about, and I believe it's far simpler.
By motorised ramp I am going to assume you mean a "travelator", a flat escalator. That's the term I hear down in Aus.
It's really a mechanical lock, the wheel falls into specially shaped grooves in the travelator track that match the wheel's shape. After that, the cart stays still so you don't roll away, but once you reach the bottom the comb will lift the wheel up and allow you to continue normally!
@@briannem.6787 yes, exactly. I didn't know the term for flat escalator.
Good bit of RE!
Is it just me, or is the "Purcheck" audio sample just the coin block sound that is in Super Mario Bros. for the NES?
Small Mallet and a Ball Joint remover fork pops the whole castor off in a jiffy.
Is this a uniquely American system? I have never in my life seen a locking shopping cart.
Take a wild guess.
No I have seen them in the UK
cart is included in the price
"I have no idea why these things were on ebay..."
Step 1. unlock wheel with replay.
Step 2. leave parking lot with cart.
Step 3: list wheel on ebay.
free money glitch?
Depending on how hard they are for the staff to remove, perhaps they’re from a store that closed down? I imagine it’s hard to liquidate your shopping carts when they’re trapped within your parking lot by these things.
what if the battery got charged by the cart's wheel rotation
Now what about kicking the wheel? Or standing on it?? How secure is it then
The unintelligible at 12:10 was probably 'eschewed' (avoided intentionally)
involving your own personal cat.
cant you just jam the frequencies? broadcast a blank carrier to overwhelm signal?
the tones sounds like the coins in super mario bros.
my theory on the missing chip is.
1. this is the budget model (the reason that this could be cheaper is they dont redundantize the transmitter instead using the sub 10khz signaling )
2. they are synthesizing the 2.4 ghz just the same you may synthesize music by generating a white noise and then using filters to remove parts until you get the desired signal.
3. using a coil and capacitor tuned to 2.4 ghz they hit that with a crude signal and since the signal is weak enough the fcc isnt going to be worried about the shopping cart knocking out everyone's wifi and bluetooth device.*
*= remember in the early days of radio when sparks was used for radio?
they was just transmitting morse code so it was simple pulses of raw interference.
4. a long shot but maybe using a simple on and off like the single function radio controlled cars from the 80s they just went forward and reverse and they used channel 5 of cb witch is 27.015 mhz.
so a simple 2.4 ghs carrier with no content saving on costs.
the chip as an accelerometer maybe the wheel uses a stepper motor as a signal generator and so they can just listen for the signal from the wheel that way.
If I was a betting man, the 2.4ghz would be on the "activator" side. Disabling the lock state at end of day/when the trolley boy comes in via exit only
As a hobbyist PIC ASM programmer, I can tell you that the community has a habit of browbeating people into turning the security bits OFF.
😂 "We're in!"
Why wouldn't they embed a dynamo so that it can use it as a generator to recharge the internal battery?
The missing 2.4GHz is most likelly a higher end model that nobody buy because there is no real advantages. Since nobody get it, nobody on ebay got it.
I imagine that the base model would last like 5 years, but the wifi maybe 2? That alone is a massive disadvantage of the 2.4GHz.
You need to talk with some ham radio experts. The receive and transmit at these low frequencies.
re: "The receive and transmit at these low frequencies."
Um, not at 8 kHz.
Lowest frequency that HAM systems broadcast at seems to be about 135 kHz, at least from a precursory glance. They might have much helpful information but 135kHz is much higher than 8kHz.
@@briannem.6787 Um, broadcasting is illegal. Maybe the term that should be used is "transmit".
@@uploadJ I am pretty sure "broadcast" means to send a signal which can be received by many, as opposed to things like mobile phone signals where the traffic is mostly intended for a specific receiver. Many activities in amateur radio are about contacting many others, such as seeing how far away you can get a clear response from. So, I'd say amateur radio is almost always broadcast.
@@briannem.6787 Broadcast, as, to an audience. Nah. We don't think of it that way. The term "Broadcast" and "Broadcast services" takes on special meaning outside of casual layman/pop culture use.
31:00 if the device is ignoring signals while it is still, could you jam the wheel and then just lift it over the boundary line to avoid the wheels locking?
Worth trying, but It's probably an accelerometer or vibration sensor on the pcb. No relation to the wheels turning.
Yes just lift it that is how i defeating it for years. ps i bing back a lot of random carts.. (to make police more redundant :)
...and out in the parking lot is a bunch of these carts with that wheel ground down to the axel because thieves don't care.
Answer to ebay postings question, solved! :)
Imagine being able to track its location and weight.
Bet it can be done with a flipper!
Flipper Zero can unlock those too.
yes i came across this shopping cart carp . i never buy bags i always walk the cart to my car and load it into my car . they lost my trade full stop .....
7:40 because 3.5mm ports are a GOD DAMN SMART PROTOCAL THAT NEGOTIATES WITH THE DANM HEADPHONES TO FIND OUT THEIR PINNING!!!!!!! Sorry, I just really hate the 3.5mm port
U could easily do this with blue tooth. Buy a wireless Bluetooth transmitter/reciever for 10-$20 and hook up headphones to use the signal as pre amp input what ever they make every type of connection to what ever other connection wires. Like 2.5 mm headphone male to rca out single or stereo some even do the video like old vhs video. But super easy super cheep and can even build your own WiFi rf or Bluetooth modules then buy a rechargeable lithium battery and regulator and choose usb micro usb USBC in and if u got a big battery even have a emergency charge 5v out port in any of those. Then u just sub out a phone dac like the Apple fire port dongle cause the Bluetooth board that runs on 3.5v and it does all the transactions and dac output. Super simple. And they are like the size of a liesterei strips pocket pack and weighs about the same. Super small super light packed rechargeable Bluetooth that is simple to pair and the better ones from anchor have both transmit and receive so makes having a couple of them and u can wire a whole home theater wirelessly tho sound quality won’t be great and would still need amps power supplies and hard wire the boards with a down voltage regulator or again just order the boards and go full McGiver mad scientist DIY’ed the 💩 out of it my self one of those and a car amp and battery u can make wireless Bluetooth speakers with a few hundred watts and legit loud subs. Or get a power supply and some amp board and some lithium batteries that hold a dozen or more amp hours and u got a both 120ac plugged charging use or wireless mod. Seriously how did you get into robotics and all this and just fly over how most people are introduced into electronics, the world of DC then forced to learn AC basic electronic components cause who doesn’t like music but hate how much the equipment is and most of it is cheep crap thrown into a rack box and there brand names slapped on it. Only a few actually design there own boards and stuff. And even those they end up cheeping out and using the cheapest or even bootleg components that won’t and don’t last forcing you to buy there newer models that has the newest codex processing like Atmos or what ever.
30:45 So, will lifting the wheel at the sensor points disable the protection because it'll be in sleep mode?
Ill try this next time im at food lion lol
The accelerometer will still detect motion/vibration from the rest of the cart. I don't think it's related to the wheel specifically turning. You should be able to just fry the whole smart wheel using one of those handheld tesla coils though, obviously when it's unlocked.
[inaudible 00:12:10] -> eschewed
Switch this... Lock up all the wheels on purpose.
Punish them for inconveniencing regular customers with broken wheels.
I feel like there are easier ways to shoplift that don't involve hacking the smart wheels of a shopping card. Isn't wheeling out a shopping cart of stuff just regular theft?
No, this is HACKING!
Deviant Ollam 20 years ago
19:32 reminds me of a Mario coin
i'm deaf, pretty sure he says OSINT at 10:00 for the missing part in the subs
Yep sound like
Ah yes now they overengineered a shopping cart wheel.
"alright we're in"
_hyperventilates_
How does it actually lock and unlock I just see a switch in the pcb not an actuator?
There seems to be a motor with a wire and a connector. Look around the 25 minute mark.
Free Mitnik!
RIP
Remember 3.5mm jacks? I never stopped seeing them since I'm an electric guitar player
u mean 1/4 inch
Bubbles gonna be out of a job
You can not imaging how interesting this is for people like me who live in healthy societies. If a society like the usa that is totaly broken needs to develope such technology it says allot great watching makes me want to burn my passport
The practical value of this seems pretty low. Do we really think criminals are going to work on bypassing these devices? Unlikely.
36:58 I saw someone shoplifting a whole cart of baby formula! It was so sad. Unfortunately, the store just closed down last week
Some certain special kinds of baby formula are so expensive that they are used by grifter scammers ( bad Romani or Irish Travelers ) as loot to return for cash.
i work for Rocateq and half of what you're saying would not work.
Not quite Dora the Explora.
37 seconds in and too many "uhh"s. I'm sure its a good talk but I'm leaving
aaaaaaaaa
Nerrrrrrrrrrd! Jk ❤❤😂
Thiefs, a modded Bluetooth speaker and a wav file on your phone. 😉
Or get a real job perhaps, im not your mom.
so... Dad?
USA be crazy when they need these kinds of carts. europe we dont have problem of stealing carts
@19:22 Never gonna give you up, never gonna let you down