This repository houses the results from an initial reverse engineering effort focused on the smart wheel used by various supermarkets. This is purely for research and education on how embedded devices work. I have intensionally not included any firmware dumps in this repo to avoid issues with copyright.
This section showcases a practical example of Lock and Unlock signals that can be emitted through a speaker placed near the wheel. The signals were recorded with a custom-built Very Low Frequency (VLF) loop antenna. More details about loop antennas can be found here.
The universally applied lock/unlock codes for GateKeeper's Smart Wheels are:
Lock Code: 10001110 (Hexadecimal: 0x8E)
Unlock Code: 01110001 (Hexadecimal: 0x71)
You can find a reference to this in the firmware:
Through some brute-forcing (which I will speak about in my blog) I have also discovered an alternative lock and unlock which is used by stores such as TJ Maxx.
Lock2 Code: 11000111 (Hexadecimal: 0xC7)
Unlock2 Code: 1111000 (Hexadecimal: 0x78)
Older Gatekeeper System wheels also have their own lock signal that isn't in the form of the typical packet shown above. Instead its a constant stream of blips like so:
Through the usage of one of the Key tools I also discovered this specific 8khz signal that is sent to the smart wheel.
BIN: 1011010
HEX: 0x5A
Once the wheel receives this it will then return back statistical information including:
- Battery voltage e.g. (3.0v)
- Cycle Count (How many times it was locked/unlocked)
- date e.g. (09.19) (Manufactory date perhaps?)
- rL e.g. (7.10)
- id1 e.g. (0921)
- id2 e.g. (2358)
This data can also be sent from the wheel via the 2.4GHz signal.
The smart wheels also support 2.4GHz functionality. In the past it was mentioned by Joseph Gabay at DEFCON that the wheel can be unlocked using 2.4GHz and there is likely no locking functionality at this range. It was suggested that it could be built this way by design.
However I have discovered there is in fact the ability to lock at range. Using a HackRF and an extended 2.4GHZ antenna I was able to lock carts around 10-15 meters away.
At 2.4GHz we also have the ability to send some permission commands to the smart wheel such as:
-
Dwell Command
- 10 sec dwell
- 20 sec dwell
- 30 sec dwell
- 60 sec dwell
- 2 rotations of the wheel
- 4 rotations of the wheel
- 8 rotations of the wheel
- 250 rotations
- 10 min permission
- 30 min permission
- 1 hr permission
- 3 hr permission
- E Disarm 1
- E Disarm 2
-
Instant Command
- 30 Sec permission
- 1 min permission
- 2 min permission
- 5 min permission
- 10 min permission
- 30 min permission
- 1 hr permission
- 3 hr permission
- 12 hr permission
- AP Unlock
- AP Lock
- E Arm
- E Lock
- Clear
- E Disarm 1
- E Disarm 2
These are yet to be explored further but there are transceivers that I have confirmed GateKeeper Systems have in place that talk to the Smart Wheel as evident by this screenshot in this manual:
Older builds would use ATMEL MEGA 168PA
The newer smart wheels use a TI CC2510 chip.
Here is the pinout illustrated:
Firmware has been successfully extracted using the TI CC Debugger tool I will write a blog post later around this topic.
RevN Unfortunately has a DEBUG_READ lock and possibly I will need to follow something similar to this blog post to get it's memory dumped out.
As it stands, the repository's contents are foundational. The goal moving forward is to uncover additional embedded functionalities within the firmware that extend beyond basic replay attack.
If you wish to help contribute or discuss anything feel free to get in touch.