I started this project right before I moved to Las Vegas in 2011. I remember sitting at our favorite pub in San Antonio, and noticed the bartender skip a song on the jukebox by pressing a button on a remote she had behind the bar. On another night, I saw the same person walk up to the jukebox, point the same remote at it, press a button, and (without putting money in it) select some songs. That got me thinking…if she could do it, why not me?! So began my quest to try and reverse engineer what protocol is being used, and how to exploit it for my benefit. At the very least, figure out how to skip songs, or turn up/down the volume.
I first tried to figure out as much information as I could without actually building any hardware. All I had to go on was the model of the jukebox, and so I tried to pull up technical specifications from the internet, but to no avail. I dabbled in infrared projects in college, but just making simple transmitter/receiver pairs. In this project, I wanted to make a receiver that was capable of essentially recording all infrared data that it “sees”. So, I designed and built what you see at the top of this page. It has a simple microcontroller with an attached 38 KHz bandwidth infrared detector. The detector has a built in filter and demodulates the signal, outputting 0V/+5V based on the presence of an infrared signal.
The program simply waits until it “hears” the infrared signal, and then records the amount of time between 0V/+5V transitions from the detector, and saves these values on an on-board EEPROM. It uses an internal 16 bit timer, which increments every 2 microseconds (max of 131 milliseconds). It continues this process over and over. You can see that I mounted the infrared detector outside of the base unit, attached to a flexible cord. This enables me to place the unit behind something like…a jukebox…with only the small infrared detector visible.
I didn’t actually complete the project until we moved to Las Vegas. One of our favorite establishments there also had one of those fancy jukeboxes. They had a remote here as well. I asked the bartender to see the remote…I made up some excuse. I just wanted to make sure it was infrared (it was). I affixed the receiver to the back of the jukebox one night, using some velcro tape. I turned it on and waited a couple days. As you can see from the pic at the top, it’s only powered by a 9 volt battery, and so it was dead when I picked it up a couple of days later. There’s a simple “dump” procedure that gets called if one of the buttons is held down while turning the unit on, and so I hooked it up to my PC’s serial port to see what’s been recorded. Here’s a sample of some data, where each set of four characters is the value of the 16 bit timer at the point of each 0V/+5V transition from the infrared sensor.
Interpreting the data
Each sequence of 4 characters represents a 16 bit number: the value of the internal timer when the data pin on the IR sensor switched from high to low or low to high. Wherever there’s an “FFFF” in the data stream, I know that means a timeout has occurred. From there, I work backwords until I see another “FFFF”. That’s a single “packet”. These two packets were embedded in some random data (noise, I’m assuming). I’m hoping that these were two distinct button presses by the bartenders.
As you can see, there is definitely a pattern. Most of the values are around 0x01BB or 0x0376. At 2 us per clock tick, these values equate to about 886 and 1772 us, respectively. A quick google search yields that this has potential to be an RC-5 protocol. Each of the streams contain at least one value that’s significantly higher, around 0xAD9A. This equates to about 88 milliseconds: the approximate delay that the RC-5 protocol waits before sending a repeat code. So it appears we may have cracked the protocol used by our internet jukebox!
To verify, let’s apply this new information to produce a few waveforms. Let’s assume anything around 0x01** is a short period, and 0x03** is a long period. Here are each of the two corresponding waveforms:
So it appears the two “keypresses” have similar waveforms, except for the beginning. After researching the RC-5 protocol, I went on to finalize my hack.
Creating my own IR transmitter
I built a simple battery powered IR transmitter enclosed in a project box with two buttons.
My code allowed me to brute force various addresses and function codes until the Jukebox responded in some notable way. I was able to figure out the codes for volume up, volume down, and…skipping songs! Also, one of the codes completely reset the Jukebox…that was a fun one.
So, to much of the dismay of one of my trivia mates who sometimes played awful music, I had full control of the Jukebox. Well, almost full control…I couldn’t play music for free. That would be crossing a hacking boundary I wasn’t comfortable with anyways.