How to hack a theremin sensor: Difference between revisions

From Hackers & Designers
(Created page with "== How to hack a sensor == '''by James Bryan Graves''' Due to lack of documentation for the theremin sensor output the following steps were employed to hack the protocol....")
 
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== How to hack a sensor ==
'''How to hack a sensor in 5 steps by [[James Bryan Graves]]'''
'''by [[James Bryan Graves]]'''


Due to lack of documentation for the theremin sensor output the following steps were employed to hack the protocol. Although details are specific to the theremin sensor, similar methods could be used to hack other protocols.
Due to lack of documentation for the theremin sensor output the following steps were employed to hack the protocol. Although details are specific to the theremin sensor, similar methods could be used to hack other protocols.


=== Step 1 ===
'''Step 1'''


The sensor was attached to Arduino UNO, and the sensorReader5 sketch supplied by [[Andrey Smirnov]] and available on [https://github.com/hackersanddesigners/HDSA2015/tree/master/Theremin/scatch328v1%2B%2Bv105/sensorReader5 Github] was uploaded to the Arduino.
The sensor was attached to a Arduino UNO, and the sensorReader5 sketch supplied by [[Andrey Smirnov]] and available on [https://github.com/hackersanddesigners/HDSA2015/tree/master/Theremin/scatch328v1%2B%2Bv105/sensorReader5 Github] was uploaded to the Arduino.


=== Step 2 ===
'''Step 2'''


Note the baud rate in the script was set to 57600.  A script was created, in this case with [https://processing.org/ Processing] to read the a computer's serial port at the same baud rate.  The next step was to print each incoming byte.
Note the baud rate in the script was set to 57600.  A script was created, in this case with [https://processing.org/ Processing] to read the a computer's serial port at the same baud rate.  The next step was to print each incoming byte.


=== Step 3 ===
'''Step 3'''


Look for repetitions.  Here it was noticed on byte was repeated, 63, every 8 bytes.  Therefore the assumption can be made the packet size is 8 bytes.  So, everytime a 63 is seen it can be assumed it is a new packet from the sensor.
Look for repetitions.  Here it was noticed on byte was repeated, 63, every 8 bytes.  Therefore the assumption can be made the packet size is 8 bytes.  So, every time a 63 is seen it can be assumed it is a new packet from the sensor.


=== Step 4 ===
'''Step 4'''


What does the sensor do?  Here, a theremin sensor, it is telling us about distance (capacitance) between a conductive body and the sensor.  So, by moving closer and further away from the sensor we could look for highly dynamic values in the packets.  I this case it turned out to be byte 5 and 7, indexes 4 and 6 in 0 based arrays.  Since there are two dynamic values, we can assume they should be combined, there are generally 2 ways to do this BIG and Little Endian.  So try both.  Here it turned out to be Little Endian.
What does the sensor do?  Here, a theremin sensor, it is telling us about distance (capacitance) between a conductive body (you?) and the sensor.  So, by moving closer and further away from the sensor we could look for highly dynamic bytes in the packets.  In this case it turned out to be byte 5 and 7, indexes 4 and 6 in 0 based arrays.  Since there are two dynamic values, we can assume they should be combined (16 bit integers), there are generally 2 ways to do this big and little endian.  So we trid both.  For the theremin sensor it turned out to be little endian.


=== Step 5 ===
'''Step 5'''


Do something "useful".  Once we have the changing values, we could create an algorithm to utilize the values.  In this Processing script we simply grow/shrink a text size.
Do something "useful".  Once we had the changing values, we could create an algorithm to utilize the values.  In this Processing script we simply grow/shrink a text size.




Line 37: Line 36:
       ser = new Serial(this, Serial.list()[3], 57600);
       ser = new Serial(this, Serial.list()[3], 57600);
     }
     }
 
   
     int count = 0;
     int count = 0;
     Boolean process = false;
     Boolean process = false;
 
   
     int[] packet = new int[8];
     int[] packet = new int[8];
 
   
     void draw() {
     void draw() {
       background(0);
       background(0);

Latest revision as of 11:41, 16 December 2015

How to hack a sensor in 5 steps by James Bryan Graves

Due to lack of documentation for the theremin sensor output the following steps were employed to hack the protocol. Although details are specific to the theremin sensor, similar methods could be used to hack other protocols.

Step 1

The sensor was attached to a Arduino UNO, and the sensorReader5 sketch supplied by Andrey Smirnov and available on Github was uploaded to the Arduino.

Step 2

Note the baud rate in the script was set to 57600. A script was created, in this case with Processing to read the a computer's serial port at the same baud rate. The next step was to print each incoming byte.

Step 3

Look for repetitions. Here it was noticed on byte was repeated, 63, every 8 bytes. Therefore the assumption can be made the packet size is 8 bytes. So, every time a 63 is seen it can be assumed it is a new packet from the sensor.

Step 4

What does the sensor do? Here, a theremin sensor, it is telling us about distance (capacitance) between a conductive body (you?) and the sensor. So, by moving closer and further away from the sensor we could look for highly dynamic bytes in the packets. In this case it turned out to be byte 5 and 7, indexes 4 and 6 in 0 based arrays. Since there are two dynamic values, we can assume they should be combined (16 bit integers), there are generally 2 ways to do this big and little endian. So we trid both. For the theremin sensor it turned out to be little endian.

Step 5

Do something "useful". Once we had the changing values, we could create an algorithm to utilize the values. In this Processing script we simply grow/shrink a text size.


   import processing.serial.*;
   
   Serial ser;
   
   int width = 320;
   int height = 240;
   
   void setup() {
     size(width, height);
     println(Serial.list());
     ser = new Serial(this, Serial.list()[3], 57600);
   }
   
   int count = 0;
   Boolean process = false;
   
   int[] packet = new int[8];
   
   void draw() {
     background(0);
     fill(255);
 
     while (ser.available() > 0) {
       int inByte = ser.read();
       println(inByte);
       if(inByte == 63) {
         if(process) {
           int lsb = packet[4];
           int msb = packet[6];
           int combined = (msb << 8 ) | (lsb & 0xff);
           int size = combined / 100;
           //println("SIZE: " + size);
           //println(packet);
           if(size > 0) {
             textSize(size);
           }
           textAlign(CENTER, CENTER);
           text("WORD", width/2, 60);
         }
         // Okay we can start looking at packets now - JBG
         process = true;
         count = 0;
       }
       packet[count] = inByte;
       ++count;
     }  
   }