Last week as I was making my rounds at the supermarket, I came across this digital bathroom scale on sale. With some membership card, the discount was almost 50% and at S$16, I thought that was a pretty good deal. It is “wireless” in that it has a separate display unit that could be detached from the scale itself. This bathroom scale had “HACK ME” written all over it.
It turns out that this bathroom scale is the EB9121 made by a Chinese (OEM?) company called Zhongshan Camry Electronic Co. Ltd (or simply Camry). The box specifically mentions that it uses infrared for transmission, and given that I had some experience looking at IR signals, I thought it would be rather straightforward.
I hooked up an 38kHz IR receiver to the logic analyzer and placed it near the scale while I was standing on it. It looks like the scale was using pulse distance coding to encode the data, and each burst was separated by a ~75ms space. The data is represented by 500µs, followed by either 500µs or 1000µs, making the total duration of each bit either 1ms or 1.5ms.
I would probably die if I had to manually mark the 1’s and 0’s on the waveform for analysis. Since I already had some code for a toy Saleae analyzer plugin lying around, I hacked it up to mark 1’s and 0’s on the waveform depending on the pulse distance. Saleae analyzer plugins can also put bubbles above a group of individual bits in order to present the decoded data for easy interpretation. Having an analyzer plugin definitely helps with reverse-engineering the protocol:
At this point, I don’t know if the (500, 500) pair represents a 1 or 0, so we’ll just pick one for now. I also don’t know if the bits are reconstructed from left-to-right or right-to-left. I made all of these into configurable options so that I could easily try out various combinations. The data can also be exported into a text file for further analysis.
Each Friday is PiDay here at Adafruit! Be sure to check out our posts, tutorials and new Raspberry Pi related products. Adafruit has the largest and best selection of Raspberry Pi accessories and all the code & tutorials to get you up and running in no time!