I liked mine so much, it's been laying on my floor since I plugged
-Michael Ducy, On his CueCat
(Want to set up a mirror of this site? Grab this file: cuecat.zip)
(Want to help, but don't have the room for a full mirror? Grab this file: 5minute.zip and put it on your web page)
(Don't want to read through all the techie stuff and just want to remove your CueCat's serial number? Click here.)
Picked up a CueCat barcode scanner at RatShack ("You've got questions. We've got blank stares.") yesterday along with a few other odds 'n' ends. If the store actually carried the stuff in their commercial sales catalog, I'd be a happy camper - I don't need an animated Elvis Presley phone, I need a local source of microcontrollers and specialized ICs. But I digress...
One of the things that has a few people worried is that the clerk at
Radio Shack takes down your name and address in their system before giving
you your CueCat. However, there doesn't appear to be a way of tying
a particular CueCat to a person at the time of purchase (although Digital
Convergence most likely can trace a CueCat back to a particular Radio Shack).
Although each CueCat has a unique serial identifier, each CueCat package
has the exact same barcode on the front (which is what the clerk scans
in). My goal was to find where that serial identifier lurks inside
Opened up the package (threw away the software, natch - looks like it's available here, anyway) and immediately began to open up the scanner.
Scan of bottom side of PCB (click for full-size image)
Scan of top side of PCB (click for full-size image)
And here are two pics of the board with the shield carefully removed
(and the serial EEPROM forcefully removed :-)
(click on either for full-size image)
U1: ATC 93LC46 (serial EEPROM)
U2: Hyundai 90C54-GB189 (OTP/mask microcontroller) - running at 14.7456 MHz
U3: Phillips 74HC373D (octal D-type transparent latch; 3-state)
U4: Utron UT6164JC-15 (15ns asynchronous SRAM, 8K x 8)
U5: Motorola HC4066 (quad analog switch multiplexer)
or a Phillips 74HC4066D (quad bilateral switch)
U6: TI 271C 04T DH10 ? (under foil wrap - ???)
U7: TI LM358 (dual general purpose operational amplifier)
The component that caught my eye was this small 8-pin device (U1) on the top side of the board:
The scan doesn't really show the markings at all, but it's an ATC 93LC46, which is a 1kbit serial EEPROM. Unfortunately, ATC doesn't have datasheets for the device available on their page. Not to worry, as other manufacturers have 93LC46s available, such as Microchip and Holtek. The datasheet for Holtek's HT93LC46 is located here, and it's a closer match than the Microchip unit, as it implements an ORG pin to control how the memory is accessed (in the above picture, the ORG pin is tied to VSS - this would make the unit addressable by 128 8-bit words if it was actually a Holtek 93LC46, but the ATC unit appears to be setup the opposite way - more on this later...).
A sharp-eyed firstname.lastname@example.org commented "Looking at the board pads near the EEPROM it appears they are used during the final test to program in the serial number. In cuecat2b.jpg the pads to the right show small indentations as though probes had been used to power-up the board and program it during final test."
The first thing I tried was removing the 93LC46 from the board. However, I'm really not equipped to desolder SMT devices, so this was rather futile. So I simply soldered some wirewrap wire onto the pins to see what's going on. I hooked my trusty scope up to them and found that the data is read out of the 93LC46 only on powerup of the CueCat (about 100ms after powerup, to be exact).
After this, I tried hooking up the 93LC46 to a PIC microcontroller (with a little bit of code that I whipped up) to see what lurks inside the serial EEPROM. Unfortunately, I managed to wipe the contents of the EEPROM (looks like it reads back all locations as 0xFF now). Oh well, at least I don't have that pesky serial number in there anymore. :-)
Unfortunately, hooking up a microcontroller to erase the EEPROM is a little out of range for your average privacy-concerned individual. I'm guessing it should be possible to disable the serial number by cutting the CLK line to the EEPROM, which should be easy for anyone with a keen eye and a sharp X-acto knife.
I'll have to wait until I get another CueCat before investigating what's inside the EEPROM. In the meantime, I've been looking to find exactly what EEPROM data areas are being scanned. WIth my trusty Tek TDS 210, I took a closer look at the CS (chip select), SK (clock) and DI (data input) lines. For those interested, the 93LC46 is an SPI (Serial Peripheral Interface) device - it uses a synchronous serial line to transfer data (your computer's serial port is asynchronous and doesn't use a separate clock line). The CS line is used to tell that particular chip that it's being talked to, otherwise it will ignore data being sent to it.
Anyhow, the 93LC46 is sent a total of 9 commands (they are all read
commands, but more on this later). The CS line goes high a total
of 9 times (the first CS 'pulse' is extremely long, as the CS line goes
high as soon as the CueCat is powerd on), and I used this as a baseline
to see what was happening on the SK clock line (since my scope has only
2 channels, I can't look at every pin at once). I noted that there
were 27 clock pulses during each CS 'pulse', and I could see a gap between
clock pulses where the CS line went high-low-high. So I hooked up
the SK and DI lines to the scope and took a look at exactly what bits were
|CS 'pulse'||data clocked in|
OK, now the first thing to note is that the leading 0 is basically garbage,
as the first 1 is really a start bit (and not yet the beginning of a command).
Also, the trailing 1s aren't really bits sent to the EEPROM - these are
clock pulses provided for the EEPROM to write out its data on the DO line.
So what we really have is a command like this:
...followed by a high DI line. The first two bits are the command, followed by the address. In the 93LC46, '10' is the read command. But what's this? We only have 6 bits to define the address and a lot more than 8 clock pulses after the command is sent - the EEPROM must be organized as 64 16-bit words!
So, the microcontroller reads in a total of 9 16-bit words from addresses 0x01 through 0x09 (I have no idea why they didn't start at 0x00). Note that in this sample scan
000000001175023101 UPA 040293153502
that the serial ID field is 18 characters long (or 9 16-bit words). I wonder if they're hiding anything nifty in the other 55 words? And why did they use a serial EEPROM? I would think that something like Dallas Semiconductor's silicon serial number would be a smaller, cheaper, totally non-volatile alternative, but maybe this gives DC better control over assigning IDs (perhaps there's a 'special' bar code that can be scanned in to rewrite the EEPROM?). I'm glad they used a 93LC46, though - you can desolder them and use them for other stuff...
Anyhow, I'm now itching to try disabling the serial ID by cutting one of the traces to the 93LC46 - I don't have a virgin CueCat to try it on, but if anyone wants to give it a shot, cutting any of the traces as shown by the yellow 'cuts' in this photo should disable the serial number (or give floating voltages to really whack out what the microcontroller is reading back - you may even be able to get some 'random' serial numbers generated in this way).
Cuts from top to bottom disable the DI (data in), SK (clock), and CS (chip select).
Or, you can slice this line by the microcontroller to sever the DO (data out) line (I'd be inclined to try this one myself - the floating voltages could be fun here). Remember - you should only need to cut only one line to disable the serial ID - take your pick.
Thanks to email@example.com for verifying this technique:
" I just de-soldered the DO line(pin 4) of the 98LC46 (left it floating) on my 68-1965 CueCat and it worked great. Instead of getting the serial number, It returns garbage:
Seems to be constant. They probably have the line pulled either high or low inside the Hyundai chip."
But I'll let the pictures do the talking:
Undersides of CueCats - 68-1965-A on top, 68-1965 on bottom
Scanning 'orifice' - 68-1965 on left, 68-1965-A on right
Innards - 68-1965 on left, 68-1965-A on right
And now for the fun stuff...
Bottom of model A with lower plastic lid removed
Top of model A
Bottom of model A with metal shield removed
Top of model A with metal shield removed
Removing the metal shield from the board is easy - you simply need to desolder 4 different tabs on the plates (desoldering braid works very well for this).
You'll note that the components on the model A have been simplified significantly - there is no more clear plastic lightpipe, the receptor appears to be a much more robust unit, the shielding is much more suited to large production runs (machine-insertable and solderable), there are fewer chips, and the board size has been reduced - certainly a more economical unit to produce.
So, what makes the model A tick?
U1: Toshiba TMP87PH47U (OTP
U2: TI HC4066 (Quad bilateral analog switch)
U3: Intersil CA3140 (BiMOS operational amplifier with MOSFET input/bipolar output)
U4: TI LM324 (Quad general purpose operational amplifier)
U5: ??? S93C4 (serial EEPROM)
Strangely, there are no manufacturer markings on chip U5, and I can find no references to a '93C4' semiconductor anywhere.
The mystery chip
Despite the lack of clues based on the chip markings, I have a feeling that this is a serial EEPROM like the 93LC46 used in the earlier model CueCat, given that
Also, firstname.lastname@example.org pointed me to a very nice site to find chip data: http://www.hitex.com/chipdir/
Well, let's see if we can in fact disable the serial ID by slicing an appropriate line. I took a virgin model A (thanks Bill) and first scanned in a barcode to see what the normal output would be:
000000000130728002 UPA 040293153502
After this, I cracked it open and decided to chop the DO line as such:
Swiping the unit over the same barcode now yielded:
decode: Bad data
Aw, poop. It seems this works a little too well. Or does it? I then ran the output through the great Larry Wall's frighteningly compact perl decoder (which he calls the 'tattooable version'):
printf "Serial: %s Type: %s Code: %s\n",
$_ = unpack 'u', chr(32 + length()*3/4) . $_;
$_ ^= "C" x length;
and got this:
Serial: ------------------ Type: UPA Code: 040293153502
Success! Apparently the 'validity' of the serial number is entirely dependent on how the particular decoder program processes the encoded string. (As a note, Michael Rothwell's latest decoder, FooCat v0.1.2 now processes a 'declawed' CueCat string without error)
So, what's next? Well, I'll be working on adding a button to turn
on the unit (thus conserving power for laptop/portable users), I'll add
in an enable/disable switch for the serial ID, and I'll be checking the
total power draw of the unit (to see if it will work with this little gizmo:
Hacking Cradle) So stay tuned!
"There's another cuecat model amongst the world as well as the two you have on the dissection page. Though the part number is still 68-1965-A, the sticker on the bottom reads '06A000' in purple ink. It bears a great similarity to the 05A00, though there are some notable differences.
The top of the unit has two more capacitors: one to the right of the potentiometer (which I recently discovered from a barcode mailing list controls scanning speed), and one to the write of the crystal. The circuit board says (HM+H Rev 1.1) with 016-000370-10208 beneath that, and the crystal says 'S24.000' (which I assume is 4mhz prefixed by a part #). Etched on the board on the bottom (below the shielding) is "MB-BR338HM R1.1"
The backside is also quite similar, though the CPU appears to be custom now and is encased in a blob of epoxy. The rest of the back and front appear to be the same (same chips as well), though I don't have my soldering iron handy so I can't check beneath the shield. The only other difference I noticed with that the circuit board that provides power to the LEDs has "2300" instead of "1700" on it. Everything else appears to be the same."
Ben followed up with a claification on the potentiometer: "By the
by, the current conclusion on the potentiometer is that it controls the
gain (which affects the scanning speed in some cases...)"
Stephen Satchell pointed me to his excellent site where he actually dissects the CueCat barcode 'Cue' itself. If you're wondering how the information is actually encoded in a bar code, check it out: http://www.fluent-access.com/wtpapers/cuecat/index.html
email@example.com sends this rather ironic discovery:
"Here's a slightly amusing lil' tidbitty for ya from Netcraft:
www.digitalconvergence.com is running Apache/1.3.12 on Linux"
...although he notes that radioshack.com is running IIS. Not terribly surprising, I suppose.
firstname.lastname@example.org pointed out a page showing how to (re)program a 93c6 serial EEPROM using only your parallel port: http://www.unix.cslab.tuwien.ac.at/~ackerman/faz_eep.htm Now you can change your CueCat serial ID to whatever you want!
And David Forbes notes that DC's EULA (http://www.digitalconvergence.com/ula.html) not only states that the CueCat is only 'on loan' to the user, but also that "you may not reverse engineer, disassemble, modify, rent, lease, loan, sublicense, or distribute the :CueCat reader". Oops. In addition, I'm supposed to notify DC "of any information derived from reverse engineering or such other activities, and the results thereof will constitute the confidential information of Digital:Convergence that may be used only in connection with the Software and :CueCat reader". Well, here's your notification, I guess. "Your rights under this License will terminate automatically without notice from Digital :Convergence if you fail to comply with any term(s) of this License". I had rights? Really? How very nice of them! Since my rights are now terminated, I guess they'll be knocking on my door any day now to get their stuff back...
Finally, I've had several inquiries as to how much it actually costs
DC to produce a CueCat. I honestly don't know enough about large-scale
electronics production to hazard a guess (though I've heard guesses of
around $5 ea.). If anyone has some actual cost data or thoughtful
estimates, I'd be interested to hear it!
And now for some more hardware info:
|Pin||Function||Wire Color ('A' model)|
|3||ground||green and black|
|4||power (+5 volts)||red|
|shell||shield||black and green|
Note that the blue and yellow wires don't connect to anything on the mini-DIN connector (though there are traces on the circuit board that go to these pins).
I chopped the red power line on my model 'A' and hooked up my multimeter
inline with the unit and found that it draws only 22.5 mA - looks like
the Happy Hacking
Cradle will work quite nicely after all! Anybody out there have
one for their Palm? I figure this is a solution just waiting to find
the right niche... (Inventory? Grocery shopping?)
I managed to get a copy of the datasheet for the Hyundai microcontroller used in the 68-1965 model (the link waaay up at the top of the page for the micro has been updated as well).
Several people have asked how I've gotten such clear high-res pictures of the circuit boards. Well, I have a prototype Minolta with a custom ground Carl Zeiss lens, a digital camera back and... Oh, I'm a rotten liar - I tossed the boards onto an HP ScanJet and scanned them in at 600 dpi. For the regular shots I used an Olympus C-2000 Z (quite a nice camera - only thing I don't like is that it uses these 'SmartMedia' cards instead of the CompactFlash cartridges that normal people use - takes forever to get images off of the floppy adapter...).
Yet more software has been poppoing up lately - Azalea Software has released AzaleaQTools, which is a nice little bundle of software (for both Linux and Windows! with source!) that can be used to create barcodes compatible with the CueCat (which Azalea craftily refers to only as a "recently released free or low-cost scanner"). Nab it at http://www.azalea.com/QTools/
Stephen Wooding has put together some Java classes to handle the data generated by the CueCat (as well as a sample program that utilizes them). Snag it from http://popbeads.org/Software/CCScan/
I wonder if DC has gotten the idea that they've lost the battle?
Mega thanks go to Sean Kauffman, who supplied these pics of the 07A00:
Note that this version is one of the 'epoxy-blob' CueCats, and it's simply a cost-reduction technique as DC appears to be continually refining and further simplifying the design - it's certainly a cheaper unit to produce in quantity than the original 68-1965! I'll take a closer look at the pics later and see what can be done to 'declaw' this version... (anybody got access to an X-ray?)
Several people have noted that DC's EULA seems to be changing as they see fit... Note that the EULA that is posted at http://www.wizkid.org/cuecat/index.htm and the current EULA at http://www.digitalconvergence.com/ula.html don't quite match up... Specifically, they added bits pertaining to the CueCat hardware itself, which was originally not even mentioned in the EULA. Dunno about anyone else, but switching around the EULA as such seems like a really slimy trick. As Michael Ducy stated, "What license am I bound to? The one that was up one digital's site when i got my cuecat or the "revised" one?" Have a look at Michael's site here: http://s1066194.umsl.edu/cuecrap/index.html and the Slashdot story here: http://slashdot.org/article.pl?sid=00/09/18/1129226&mode=thread
Also, I had to grin when I saw the "What's New" heading on DC's main page: "On Sept. 15, 2000, Digital:Convergence Corporation experienced a security breach that may have exposed certain members' names and email addresses. The company was alerted of breach efforts by Peter Thomas at Securitywatch.com. The company has secured the site and is conducting a thorough security examination." Although their press release made it sound like they were actively cracked, it was really just a case of being sloppy - they really should know better than to keep user information in a plaintext file easily accessed from their website...
Michael Rothwell was interviewed on Internet
News Radio - check his site
for the MP3...
David Bilodeau noted that "the code on the bottom is very similar to Radio Shack's own method of date coding the manufacture of its items - 05A00 is May, 2000. 07A00 is July, 2000, etc. Can't remember what the "A" is but it might just be the May "A" run, and then if they ran more in May it would be 05B00, etc."
Tim Kerby, who hails from Scotland, shares his insights on the actual
workings of the CueCat:
"I'm going to try and reverse engineer their microcode and write my own on the PIC microcontrollers. With a serial eeprom (put to better use) you could make the unit standalone like the expensive symbol readers for home shopping and store barcode scans. Looking at your page my first thoughts were that the cat read into the ram on the early versions at a very high clock rate and decoded from there with the microcontroller but the newer cats don't have the ram. My other thought is that the analogue switch could be used to gate the input after reading the timing the start character but there is not a constant swipe speed. Instead it must multiplex the keyboard and cuecat so the keyboard is effectively switched off while the cat enters data. After closer inspection here is how I think the thing operates (newer model):
And if anyone hasn't seen this goodie yet, here's Pierre-Philippe Coupard's instructions on making a CueCat RS-232 pod. I was a bit confused from seeing that Pierre hadn't used the clock line in any way, and when I asked him about it he replied: "John Rigby, the author of the original hack, clocked several CueCats at around 8000 bauds quite reliably, so I assume the speed is preset." Neat hack! Pierre also cautions that it may not work with all machines: "I can tell you right now that more than one computer will not work with it : the signal that the 7404 spits out is TTL, and so the pod relies on the PC to be able swallow TTL on the RS232 line."
Finally, although I've heard from many happy people that have successfully
'declawed' their CueCat, I have yeat to hear whether or not a 'declawed'
unit will still work with DC's software - if anyone has info, please let
Jack Andrews contributed the following scans of his CueCat innards (06A00):
Charles Sullivan sent in these of his 06A00:
Note that it's similar to Sean Kauffmann's 07A00, but Sean's has the designation (FM+H Rev 0.3) screened on the board while the above shows (TM+H Rev 0.3).
Minion has been doing a little work on creating a Win32 decoder - his site is at http://www.jaggedsoft.com/cuedog/
Several people have also confirmed that a declawed CueCat will still work fine with the CRQ software.
Glenn Powers is giving DC hell over the fact that they are sending out unsolicited CueCats via the USPS yet their EULA still claims that the item is on loan...
Wayne Buckhanan passed on his findings on the pinouts of the CueCat
I have one of the ones you identified as 68-1965, two screws, etc.. I yanked the cord off of mine and checked the wires and I thought at first there were two of the six pins that weren't connected like you reported, then I had a flash of thoughtfulness and ran back and checked the female connector that is the pass through, it has those two lines hooked up as CLK and DATA on the female connector, along with the power and ground. My guess was that the cue cat inhibits the keyboard from sending data by just twiddling those two lines as appropriate (I've been
reading about keyboard interfacing lately, but it hasn't sunk in far enough yet to tell you for sure that the computer takes the data line high and the keyboard waits for it to stop doing that to start clocking).
Phill K dropped me a line regarding CueCat versions and electronics
You mention that the model A with the toshiba cpu comes after the one with the hyundai cpu. I respectfully disagree.
I have worked in a large surface mount factory (SMT) that builds many different assemblies for different customers who outsource their production. I worked as a test/QC/production technician and offered suggestions on how designs might be simplified and improved.
The model A is just that - a model A. The first give away is the cpu choice. The toshiba CPU is more complicated and offers more power, where as the hyundai cpu is a simpler 8051 variant that is going to be cheaper and easier to get. Also, look at how many screws are used to put the back on - 2 versus 4. That makes it quicker to put together (important when you do a large quantity, like millions). The single led and single plastic photodiode with light pipe is going to be less expensive than 2 leds and metal housing photodiode. It is more cost effective to have the strain relief part of the housing than part of the cable. I haven't seen a machine that "inserts metal shields", and am pretty confident that it is done by hand. It would be quicker to tape something on. It is more cost effective/easier to have a single board rather than a separate board for the leds and have to
connect that with wires to the main board.
But the clincher to the argument has to be the scanning orifice. Take a look at the photos on the web page side by side. The scanning orifice for the "model A" is larger and the housing looks like it was designed for that originally. Looking at the smaller orifice you see that it is half the size but yet the housing is still the same size as for the larger one. Why isn't the housing smaller if it came first?
The only problem I have with my own argument is the RAM. Because the ram is a pricey part. But chip supplies have been increasingly tight this last year, and it may be that it was more cost effective to have an 8051 plus ram rather than just the toshiba cpu. adding the ram is why there is the 74HC373.
The Toshiba CPU could cost three bucks. But the 8051 could be $.75, the 74HC373 $.25, and the ram $1.00 (guesstimates), thus you would save $1.00. Take away a led and use cheaper photodiode you save another $.75. Even though the board is a little bigger, the fact that it is a single piece is a big plus.
It's true that the blob-tronics are a cheaper design. My guess is that this is the "middle version".
I saw an add in the newspaper for these. On the ad they said they have "10 million ready to ship". That is allot. It is entirely within the realm of
possibility that the have two plants making these simultaneously. The hyundai cpu version made, and another making the blobtronic version. Even if one was more expensive than the other, it might be more important to achieve quantity rather than savings. Another factor is that there are allot of part shortages going around, so if they had two designs, they wouldn't be hung up on production if they couldn't get a part.
Also, it is clear that they wanted the cuecat to scan _any_ barcode. So while the model As are a simpler design, the addition of a lens in front of the photodiode in the hyundai version probably makes it perform better. And adding the ram gives you a chance to do more work on the scanned data, again increasing performance.
I could be wrong, but the hyundai version seems like a more refined design. It would be interesting to compare the two to see which one was better at scanning in different conditions with different barcodes, and see which one is more accurate. Like with a bright light shining on the cuecat, as I think this is why there is the black cardboard in the hyundai version. Some mice will stop working with bright sunlight shining on them because light "leaks into" them. I only have the hyundai cuecat, and can't spend too much time on this. But it would be interesting to get other people's thought on this.
Sherrod Munday wrote in with some very interesting info on the small 5-pin serial ID chip that is showing up on some CueCat revisions. Note that U5 is the normal 8-pin 93LC46 and U6 is the smaller 5-pin device that fits in the same spot on the board.
Physical Description and Layout
On the 07A00, U6 is a small, 5-legged device with three leads coming out of one side, and two on the opposing side. Markings on the image submitted by Sean Kaufmann show L00F, while my unit showed L071. There are no other identifiers present on the chip.
With the board oriented so that the silkscreened "U6" is right-side-up, the three-legged side is on top, and the two-legged side is toward the bottom of the circuit board. Immediately adjacent to the chip are eight unused pads on the circuit board: they are spaced out to accept a chip the same size as the ATC93LC46 (used on the original model 68-1965). There are four pads on the right of the chip, and four pads to the left.
Pinout: I'll use letters, since I can't tell which is pin one on the chip (I know, this isn't very good, but I can't tell anything about the chip). This layout is given with the PCB in the same orientation as described above -so that you can read "U6" right side up.
A B C
A To pin 4 of the orientation of U6 on the 68-1965A (Upper right pad, closest to uC)
B Ground. It's connected to a Thru-hole that goes through board to ground plane
C To pin 2 of unused pads beside chip, using pad pinout as described on pin A above
D (Not connected)
E To pin 8 and 6 of unused pads. (Lower-left corner, farthest away from uC). Also connects to +5 VDC source.
So it's apparently a 4-connection device, with 2 for power and 2 for data.
I don't see a serial number data pattern on my scope upon power-up. I do find a clock-type pattern (quite regular) on pin C each time I run a bar code. The pattern is only present immediately prior to the output generation of the serial data to the computer. Pin A seems to be used for the serial number output of U6. I couldn't get a good enough read on my scope to determine its format, though. Since everything else is so similar to the original 68-1965, I'd be willing to wager it's stored on the chip in the same way. Both Pin A and C are normally high (+5Vdc), and are pulled low during pulses. Based on observations, I'd guess Pin A is Data Out and Pin C is Clock.
Therefore, the pinout would be:
DO GND CLK
My only lingering thought is that the chips may have come already pre-serialized prior to installation, and that "N/C" pin really would be Data In. Of course, if this device allows writing on the Data Out pin based on the voltage present, who knows...
Since I'm not one to go cutting traces unless it's necessary, I used desoldering braid to simply remove the chip from the PCB.
Cuecat version 07A00 is now declawed. Fairly simple, yes?
Note that declawed version 07A00 outputs the same S/N as the first 68-1965A that you reviewed. So apparently, even though they seem to have gone to a custom microcontroller and changed the serial data chip, the functionality is the same.
Out of curiosity, I tried placing the ATC93LC46 chip from my original model 68-1965 into the correct orientation on the 07A00, hoping it would pick up the identity of the older unit. No luck.
My next project, if I'm daring enough: To Dremel-tool off the epoxy
from the uC and find out what it is. Hopefully I could do this without
Jack Hintry noted that his CueCat has the same 5-pin chip, but with the inscription 'M00P'. I'm wondering if the lettering on this device (so far we have M00P, L00F and L071) is shorthand for the serial number contained inside. Could this be something like Dallas Semiconductor's silicon serial number?
Finally, here's a very simple mod that's perfect for laptop/portable
The button is just a small pushbutton I picked up from Radio Shack (while snagging another CueCat, of course). Snip the power line (red on the 'A') and run wires up to the switch. Press the button, whisk it past a barcode, release button. Minimal power draw! Only problem I've had with it is on bootup - if you don't hold the button down (to power on the CueCat), the BIOS spits out a keyboard error. This is on a desktop, though - on a portable it would probably be fine.
Rothwell has gotten a reply to the letter he sent to DC's lawyers,
but it's just as vague
as the first one. Not too surprising, I suppose.
Checked up on Michael Rothwell's page, and Stephen Satchell has some interesting thoughts on DC's rationale for who to send nasty letters to - it seems that DC may primarily be trying to crack down on software that is used to "establish links between barcodes and Web content". That is, if your software takes a bar code and fetches a particular web page based on that input, DC gets mad. Stephen is also guessing that the firmware revision number is embedded in the CueCat serial number - read more here.
But enough about that, back to hardware. A.D. (who apparently
has some really fun toys at work) was kind enough to bombard his CueCat
07A00 FM+H Rev 0.3 board with radiation in an attempt to see what's hidden
under those blobs of epoxy. Although the resolution isn't quite enough
to give much information (you can just barely make out the circular epoxy
blobs), it still makes for a very cool picture!
Jack Hintry supplied the following pictures of his board with the mysterious 5-pin serial number device:
Note that Jack has successfully declawed this one by slicing through
one of the traces (this is presumably the DO line for this device).
Can anyone identify this mystery chip?
Anyhow, this would seem to invaildate Stephen Satchell's theory that
DC's beef is with software, as I've been careful to focus only on hardware.
Look, guys, you don't control the hardware - you're giving it away.
Please grow a clue.
Anyhow, at my employer's request, I took the entire site offline and moved the page and files to my own personal server (air-soldier.com). The last thing I want to do is legally endanger my employer in any way - this is my fight, not theirs. So now that the page is on my own machine, hopefully I'll get a personalized letter from Mr. Rosini.
The site now has a great many mirrors - a big thanks to everyone that has set one up - you guys are helping keep this information free. Rather than list them all, check http://666pack.org/cuecat/Mirrors.asp for a very comprehensive list of cuecat-related sites and mirrors. (And by all means, if you're running a mirror, add it to the list!)
DC has now royally pissed me off, and I'll be putting even more effort
into toying with this wretched little plastic beast. In fact, I've
now created the 5-minute guide to declawing all the CueCat models: 5minute.html.
You don't need to know a thing about electronics - now anyone can easily
declaw their CueCat. If you want a copy to put on your own web page
or mail to a friend, grab this file: 5minute.zip
I noted with interest Wallace Lee's comment on Slashdot - apparently Wallace had sent a message off to DC asking for a method to return his CueCat as he didn't agree with the EULA:
Today, I got this response from Charles Richardson of DC.
Cat is yours to do with as you please. I would suggest that you give it
to a friend if you do not want this for yourself. I'm sorry but we have no
way for you to conveniently return this to us.
PM 9/28/00, you wrote:
>Submitted: 09/28/00 at 06:00 pm:
>Name: Wallace Lee
>Heard from: magazine
>I recently received a ":Cue:Cat" device with a magazine subscription.
>I do not agree with your EULA, and I would like to return it to your
>company. Please provide me with shipping instructions, and a prepaid
>shipping container or label. If you can supply me with such an item,
>please e-mail me email@example.com. Otherwise, I will destroy the
>:Cue:Cat device or play around with it as I am considering it an
"The Cat is yours to do with as you please". Huh. Given the letter I got, I'd beg to differ. So I sent off a message to Mr. Richardson:
Mr. Richardson -We'll see what happens. I'm guessing I'll get no reply on the matter.
I noticed Wallace J. Lee's post to Slashdot regarding the inquiry he made
to Digital Convergence's tech support:
>I recently received a ":Cue:Cat" device with a magazine subscription.
>I do not agree with your EULA, and I would like to return it to your
>company. Please provide me with shipping instructions, and a prepaid
>shipping container or label. If you can supply me with such an item,
>please e-mail me firstname.lastname@example.org. Otherwise, I will destroy the
>:Cue:Cat device or play around with it as I am considering it an
Your reply read as follows:
>The Cat is yours to do with as you please. I would suggest that you give
>it to a friend if you do not want this for yourself. I'm sorry but we
>have no way for you to conveniently return this to us.
If the 'Cat' is truly 'yours to do with as you please', then why have I
and others received threatening letters from your company's attorneys for
doing precisely as I please with the hardware? (see
http://www.air-soldier.com/~cuecat under the date heading 29SEP2000 for a
copy of the letter).
I eagerly await your clarification of the matter.
- Michael Guslick
Anyhow, back to the hardware...
Hex has done some fantastic work testing the CRQ software and virgin and declawed CueCats. It's well worth a read: http://w3.one.net/~hex/wand.htm. The ZoneAlarm software that Hex speaks of can be snagged at http://www.zonelabs.com and the information on what keys the CRQ software places into the Windows registry can be found at http://privacyfoundation.org/advisories/advCueCat1.html
Jonathan Buzzard figured out what the 4066 quad bilateral switch is
used for in the CueCat:
"I notice some discussion on what the purpose of the 4066 Quad bilateral switch is for in the :CueCat. The purpose is to break the Keyboard clock and data
lines between the keyboard and the computer.
Roughly when the :CueCat (or any other keyboard wedge device for that matter) wants to send some data to the computer it opens these switches breaking the connection between the keyboard and the computer. The onboard microprocessor will then pull the clock line low on the keyboard side to prevent the keyboard trying to send any scan codes to the computer. The onboard microcontroller then sends the keyboard scan code data to the computer as per normal. When this has finished it closes the switch and lets the clock line go high again.
Obviously the microcontroller has to watch the clock and data lines so that it does not break the connection between the keyboard and computer when they are in the middle of talking to one another. Hope this helps."
Leonid Broukhis has been toying a good bit with comparing differences
between firmware revisions on the CueC... er, a 'certain free barcode reader'...
The revisions (apparently noted by the last two digits of the serial number)
do differ slightly in the types of codes that can be read - see his work
Leonid has even managed to create a barcode that returns random garbage
with a rev.02 scanner!
Shakki pointed me towards this interesting post: http://www.topica.com/lists/pla_upl/read/message.html?mid=1702776249
Apparently, it's possible to disable the CueCat's (ridiculously weak) encryption
by tying a particular line of the microcontroller to +5v. Seth Henry
confirmed that it does in fact work - I'll give it a try myself later.
Louis Papineau has found yet another bug in the CRQ software: "When you install the software, it asks which browser you want to use. I have both IE5.? and Netscape 4.72 installed, IE being the registered browser. I told the CRQ software to use Netscape. I checked the registry and it is confirmed that it should use Netscape.
However, whichever browser you have open is the one it will use,
not necessarily the one you have chosen."
And lo and behold, Charles Richardson actually replied to my email:
This is not a support issue. We do not have a way for a customer to conveniently return unwanted Cats. I do not intend to engage you in a discussion involving the legality of my response.
To which I just replied:
"I see. Can you recommend someone at your company that _can_ discuss the legality of your response to Mr. Lee's inquiry?"
Being that he's in the support department, I probably should have additionally asked if board schematics or microcontroller code was available :-)
Charles replied promply once again:
I have escalated your previous message to my management. I'm certain that it will reach a level where someone might respond to you. I do not intend to reply to any further messages from you about this. Since this will without doubt be added to your web page let me end simply by saying "Hi Mom!"
This message too will be escalated. Good Day Sir!
Well, at least someone over there has a sense of humor...
Thanks Charles, I appreciate the help.
Seth Henry has set up a web page showing how to perform Jeff Dobkin's encryption removal hack on a CueCat (just updated with info on older boards). Michael Rothwell also has this info mirrored at http://www.flyingbuttmonkeys.com/foocat/cue-decrypt/
Joe S is eagerly awaiting his cease & desist letter now that he's created a cold fusion script to decode CueCat output: http://devex.allaire.com/developer/gallery/info.cfm?id=71C8BC46-9499-11D4-AAA700508B94F380&method=full
Braddock Gaskill has a site up about DC and the CueCat as well as a little info on the other device (the audio cable that most people have overlooked) that DC is distributing: http://braddock.com/dc/
Oh, and I'm in one of the latest news articles, too... (grins proudly)
I started a list of everyone who's gotten nastygrams from K&K here. If I've missed anyone, let me know...
Hopefully I'll be able to redo this page sometime soon - it's getting
Jason Andrade has a mirror up for the Aussies (the site isn't available internationally, it seems) here and here. Among the many things that I need to do, setting up a nice mirror list is among them...
Just in case Allaire takes a dim view of Joe S's cold fusion scipt, the files are here.
Minion added a pic and instructions to his page
showing how to perform the decrypt hack on a 06A00 CueCat (note that units
with the same date sticker don't necessarily use the same PCB).
Bill has a great hardware site up at http://cexx.org/cuecat.htm where he shows how to perform serial number removal and encryption removal using his (TM+H Rev 0.3) as an example. He also notes some odd behavior when jumpering +5v to a particular processor line.
Matt Purgar has whipped up a Visual Basic .BAS module to handle decoding for anyone who would like to understand how it works: http://longisland.poly.edu/~mpurga01/DecodeCAT.zip
Happy Hacking Cradle users, rejoice! Tom Zerucha has coded a little
program for use with the CueCat. Check the bottom of http://www.execpc.com/~tz/
And it's even GPL'ed!
First off, Bob W was inspired by A.D.'s x-ray, and did some playing
of his own with some equipment that he has access to. He writes:
I've got a pic of each of the blobs, and one sort-of wide angle shot of most of the board. I didn't want to zoom out all
the way on the entire board 'cause the xrays coming through around the board (where there was nothing to block them) were starting to over-power the display at that point.. Waay too much bright white.. But hey, some neat pix! The titles are kind of explanitory.. :-D They are taken with the black epoxy - blob side facing up, and the LED detector pointing towards me. (wires away from me)
Fantastic photos - thanks Bob!
Chrylis has done a little bit o' Perl coding - grab his script here,
and read the following for a bit of info:
"Hey, I grabbed Larry Wall's disturbing script off of your page and played with it some. Since Azalea's fonts return the requested data in an encoded form (see the PDF), I figured it might be nice to have a decoder for it. So after a few painstaking hours of figuring out how to restrict the input sequence to one line (use <STDIN>), I managed to put together a script that will take as input one swipe from a CueCat of Azalea barcode data (everything else comes out native) and will return that number you originally typed into the little program to get the barcode string.
I discovered a rather disturbing behavior of our favorite feline
as well; some barcodes don't scan correctly left-to-right but scan fine
right-to-left. Try "234567" and "23456789" in Azalea coding for examples."
For those of you with the 2-screw model (68-1965), Seth Henry dug up this hack (I'm not sure who to properly attribute it to) that will decrypt your scanner's output:
The 2 screw case, Hyundai CPU version can be converted to plain ASCII output by lifting pin 10 of the Hyundai CPU. Pin 10 is normally connected to ground, so if you solder a wire from 5v to pin 10, you will have a short! Do not do this, instead seperate pin 10 from ground. When pin 10 is unsoldered (or cut), it will float high, no need to solder it to anything.
Pin 10 can be found on the lower right side of the bottom row of
pins when orienting the CPU so that the word "Hyundai" is right side up.
Pin 11 is the last pin on the right of the bottom row. Pin 10 is just to
t of pin 11.
There is a short length of PCB trace between pin 10 and the ground plane. This can be cut with a sharp knife, or one can use a soldering iron and desolder ing braid to remove the excess solder on pin 10, then gently pry it up with the tip of a sharp knife while heating with the soldering iron.
If you're good with the soldering iron, you can solder a wire to
pin 10, connect it to a switch, then use the switch to convert from normal
encrypted out put to plain ASCII output. Pin 10 is only read by the
CPU at power-up and reset, so you'll have to either unplug and replug the
keyboard connector, or momentarily connect pin 4 (pin 4 is the reset line
of the Hyundai CPU)
to 5v AFTER changing the switch on pin 10 in order to get the output format to change.
This modification has been verified on board version: K023A016 REV:C
date code: 0024
If you've tired of playing with your CueCat and would just like to destroy
the thing, get in touch with Dr.
Cliff - he's willing to put up a webpage
of 'altered' units in the vein of some of his other, ahem, projects....
I swear, is there a programming method that hasn't been used to decode
the CueCat output? Brandon Hall pointed me to his implemenation in
Flash (requires the Flash 5 plugin), named appropriately FlashFeline
(source can be snagged at http://chattyfig.figleaf.com/source/FlashFeline.fla).
"I know it could be done much more elegantly using the lookup table rather than doing an actual 64 table then XORing, but this was a fun way for me to play with bitwise operators... enjoy!"
A Radio Shack employee (we'll call him 'Scane') wrote in with a few
"I, unfortunately work at Radio Shack; you're right about the blank stares part--They train us in selling cell phones, MSN rebates, and Sprint Long Distance but not the component stuff that Radio Shack was always known for...) Anyways...one piece of trivia: my manager has been instructed to "account for every cue cat" and should a customer not want to give their name and address we should charge them $29.99 for it!
Also; a USB version is (or was) in the works...there is one that is around now, but I believe it is only used in the Radio Shack stores on their MSN kiosk/display. I expect this is due to the fact that the displays run the Microsoft internet keyboard, which is also USB. I have not gotten the opportunity to examine it closer but I believe it is actually a 68-1965 with a USB connection--not the 68-1965A, but these may be pre-production... It only has the one LED. According to my manager--before the cats were formally introduced--A USB version was planned to replace the keyboard-only versions as free giveaways. Digital Convergence may have changed their minds since then, though... An interesting feature of it: it turns itself off after a certain period of time!"
Scane managed to quickly snag a few pics of the USB scanner while the
manager stepped out of the store:
"The case matches the one on the 68-1965 (even the statement saying it only connects to the keyboard port!) except for one thing: a sticker has been placed over the 68-1965 saying "68-1966", otherwise it's a perfect match with the non "A" model. (Incidentally, 68-1966 is not in the Radio Shack POS system yet)
The obvious differences inside are the 4 USB wires and the addition
of a number of capacitors, and of course the overall arrangement of circuitry."
Pete Callahan inquired with DC about their breach of security a few weeks back:
Mr. Eschbach,And Pete got the following response:
How exactly did you eliminated the recent security breach involving the :CueCat product?
When do you expect the outside agency to complete the systematic audit of all your systems?
Do you plan to publish the results?
Does your company plan to "provide a patch that disables the ID number for current users... notify users of the existence of the tracking potential... [and] that future version of the product have the user ID feature disabled." as Richard Smith of The Privacy Foundation has suggested on 09/25/2000?
Here are some answers to your recent followup questions concerning our security breach. We eliminated the breach by reorganizing our web department so that deployment of web servers must go through a security audit before they are put into production. The security audit was completed about a week ago. We are not publishing the results, but we plan to have a second agency repeat the process in a month to validate any improvements which the first reported on.
With respect to the tracking issue, We have always disclosed to our users that we collect aggregated date. That is we know how many women of a certain age group in Dallas swipe a cue in The Dallas Morning News, for example.
We do not, and cannot track individual swiping behavior. We do not plan on publishing such a patch as it would negatively impact our business going forward. The privacy foundation's assessment was based on a technology study, not a business study. We have been working with the Privacy Forum to ensure that privacy concerns are addressed.
Vice President, Communications
And another CueCat 'fan' site up at http://www.digitalconvergencereallysucks.com - seems DC already nabbed digitalconvergencesucks.com, .org and .net for themselves. C'mon guys, don't be greedy...
Thanks for all the info, additions, and your kind words - this page has been a lot of fun and the enthusiastic feedback makes it all worthwhile!
My, my... Look who's been showing up in the logs: log capture (22.214.171.124 is dallas.digitalconvergence.com)
Hi guys! Hope you like the page!
CueCat Verified Mirroring Sites
FooCat BarCode (currently down due to Digital Convergence being idiots)
CueCat Software Spies on You (also mirroring this page)