Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Many shopping cart wheels have a protection in place that will disallow people from stealing the cart. Once the cart is taken outside of the pre-approved boundary, one of the wheels will lock itself. How does this work? Welcome to the rabbit hole! The author has a funny quote at the beginning "It's not worth doing something unless someone, somewhere, would much rather you weren't doing it" - Sir Terry Pratchett.

The system works by having an underground magnetic that is sending out a signal at all times. This is typically buried underneath the parking lot at stores. If the cart senses this magnetic field, the cart automatically locks itself. At this point, the store staff comes and gets the shopping cart with a remote to unlock them.

As a robotics engineer, the author of the talk discusses how the actual lock and electronics work. The wheel has an inner casing that is flexible. When the wheel wants to stop, a motor expands this inner wheel to cause a lock via some ridges on the inside. Interesting system!

The PCB has two antennas: a 2.4GHz antenna that is physically in the PCB and an inductor that runs at 7.8K, which acts like an antenna. The Microcontroller is a TI CC2510, which has a built in 2.4GHz transceiver. There is a 10 pin JTAG port that can be used as well.

To learn how this works as a signal level, there are a few places to turn: FCC website, patent searches and other hackers. This can get information like a user manual, frequency, modulation and many other things. In this case, the frequencies and modulation were shown in the documentation.

Frequencies under 1MHz are not supported by most SDRs. So, what do we do? 7KHz is in the audio range! The author creates a janky home made antenna and records it using a standard audio application; this is amazing that is actually worked. They analyze this in a spectrogram software and in audio processing software.

Phone speakers/headerphones are essentially crappy antennas! It is a coil of wire attached to a membrane with current going through the membrane. This causes the signal, or audio that we hear. Because the frequency we are working in is audio, literally using speakers/headerphones works to unlock these devices.

Using the signal above we can lock any shopping cart in the area; this is pretty amazing! But, what about the remote? Of course, these can be bought on eBay! Using this, we can unlock and lock the shopping carts at will and know the actual codes that are sent.

The signal decodes to a total of 8 bits. The difference between the two remotes is that one of them uses the 7KHz frequency and uses a OOK encoding while the other uses the 2.4GHz frequency with FSK encoding. Besides this, the unlock and the lock signal on the device are the exact same. The unlock and lock signals are just the inverse of each other as well.

The range of the audio was extremely small. As a result, the author created a proof of concept using the HackRF that worked from across the room for unlocking. The lock signal does not run on the 7KHz frequency, probably because the creators of this did not want hackers or store owners locking all of the nearby carts.

The author mentions a lot of great tools, such as universal radio hacker, GQRX and the HackRF. Additionally, they mention an article on previous research from 2008 called Consumer B Gone that reversed how some of these worked. Overall, this talk had great presentation and amazing research!