Declawing Your :CueCat
by Lunius
:CueCats are barcode scanners given away with issues of Forbes Magazine and at RadioShack.
The :CueCat is used to scan a barcode of anything you find interesting and the :CRQ software, included with the cat, uses the default browser to bring the user directly to a corresponding web site with information from a database.
What they don't tell you is that every time you do this, a serial number is sent to them telling them who you are (remember giving your name to the RadioShack guy?). And while it is possible to change this, they try pulling technicalities, saying that the cat isn't even yours - that it's only on lease. They say this so that you cannot legally open it and reverse engineer it!
Too bad nobody gives a fu*k. Intellectual property laws protect reverse-engineering for competition last I heard, although corporations have been disagreeing lately.
Operation and Reverse Engineering
The :CueCat is a keyboard wedge scanner like several other barcode scanners, meaning it plugs into the keyboard slot on your computer, and the keyboard plugs into it.
When you scan a barcode, a line of information is sent like the following:
.C3nZC3nZC3nZCxj2Dhz1C3nX.fHmc.DxPYE3b6C3nZC3jY. |
This is four pieces of information separated by dots:
Now, as you probably can notice, the information is encrypted.
Jean-Phillipe Sugarbroad is credited with figuring out that the :CueCat uses a modified version of Base64 encoding, a very simple form of encryption.
Take each block of four characters and convert them into 6-bit values by indexing into: [a-z][A-Z][0-9]+-
String the four 6-bit fields together to get a 24-bit value containing three bytes.
Exclusive OR each with 67 and you have three decoded bytes.
Strings that aren't a multiple of three characters are zero filled and they should be stripped out if it isn't being processed by C code which takes a Null as the end of string.
According to the driver from Lineo.com, some cats don't encode the same.
For these you index into: [a-z][A-Z][0-9],/
You can do this yourself, or as any sane human would, with a script. You can find a small Perl script which I like best, nicknamed the "tatooable version" for its short, short length at opensource.lineo.com/cuecat
Decoded, the aforesaid line is this:
000000000215756002 UPA 691839000011 |
UPA stands for UPC-A and the 691839000011 is the barcode number.
The part you must worry about is the first number (000000000215756002): the serial number.
Getting rid of the serial number is relatively easy. All I had to do was cut the Data Out circuit on the Hyundai chip and the :CueCat now sends garbage for the serial number. (The chip will either be an 8-pin device or a smaller 5-pin device. Be sure to cut completely through the trace.)
More information on this can be found at www.ma2600.org/index.php?page=declaw
Congratulations, you now have a :CueCat that doesn't send a serial number and you know how to decode the barcode number.
To take advantage of this you can find software at Lineo.com or at MA2600.org to take inventory of your book/CD collection, or even to create your own barcodes. Have fun.
Shout outs to Ohmboy, Christ, Rasputin, Morn_Star, MA2600, and countless others who have guided me.