Questions about iClickerEmulator::encodeId function

[lujinhao]

Hi Wizard97,

This is a really cool project!

I have some problems with the iClickerEmulator::encodeId function. My encoded ID obtained from SDR iq waveform can be decoded by the iClickerEmulator::decodeId function and it matches my unencrypted ID on the label. So, I think the data obtained from sdr should be correct. However, I can't use the algorithm in the encodeId function to encode my ID: the result doesn't match with the data from sdr.

I created a table of how the original ID is mapped into the encoded one. See the table below.

I found the 2nd bit of all 4 ret[] are not set and that the last 4 bits of ret[3] are not set. Also, all the bits from the original ID are mapped into the encoded one except the first bit of ret2 <ret2,bit0> showing up twice and all the 8 bits from ret3 being absent.

I saw the comment for encodeId function saying"//bits 4-0". I'm not sure what it means and that might solve my problem.

I'm curious how these encoding methods are obtained (from EEPROM?). I have never thought iclicker would encode the data in such a random way. Regardlessly, it is definitely very impressive to see these being hacked. Good job!

[wizard97]

Hi, take a look at our work in progress security paper, I think we explain most of all the specific details and how we figured them out. There are a few minor issues with the paper (I don't think all the frequencies are quite right), but other than that should be pretty complete. iskipper.pdf