Mystery Dongle Found in the Snow

[SeoulBigChris]

I was walking to my car at a client's site, and spotted something in the melting snow on the ground in the parking lot. It looked like a USB drive, but on closer inspection, I was some kind of weird 4-pin module with maybe an IR LED on the end? It's powered by a PIC 12F629 8-pin micro, and there's not much to the circuit. I drew out the schematic, but it didn't give me any further clues what this might me. Neither did the part number on the board reveal anything helpful.

If it helps, this client is a government-run research center for chemical engineers/scientists. I wouldn't be surprised if this is some kind of widget that fell out of a piece of specialized lab equipment.

Any ideas what this is used for?

[jpanhalt]

R1,R2, cap to ground, and D1 are related to ICSP programming.   Some old Microchip recommendations included such complex circuits.  D1 is to protect VDD supply from VPP.  More recent recommendations just have !MCLR connected by a resistor to VDD.

That is a fairly hefty resistor in series with the diode.  Do IR emitters operate at such low current?  Why not power it up and see what happens?   

[FireBird]

R3 is 330 Ohm instead of 3k3 which will result in about 10mA @ 5V through the IR diode.

A wild guess: there are small printers out there like the HP 82240B that receive the data via IR.

[SeoulBigChris]

Good catch FireBird. Indeed 330 ohms.

[SeoulBigChris]

@jpanhalt Yep, I plan on powering it up. Maybe tomorrow. I can easily grasp that this could be an IR transmitter for a printer for example. But to be packaged like this as a separate module seems strange, especially for something so cheap.

I was about to say that judging from the connector it must have been internally mounted. But it was shrinked in some heavy plastic, so maybe it was a user add-on. I’ll ask one of the chemists Monday if they’ve ever encountered such a widget.

[AndyBeez]

Thanks for doing the schematic - always helps on the forum

Judging by the crude PCB edge, it was made in bulk and depanelized somewhere in China. No attempt to finish it properly. The components look hand soldered, suggesting a low volume production run. The Tx/Rx like lines and ICSP connector suggest it's something that's meant to be programmable. Curious.

What is it? If that's just an LED, then it's not a transceiver, so it might be a coded beacon, or a keyfob? Or it's just a blinking red or white status LED. Use your mobile phone camera to 'see' the LED if it's infrared. 

A bench test > is there any 'serial' output on either pin 2 or pin 3?

[Psi]

I'm going to laugh if he powers it up and it spits out over UART/IR

"Put me back were you found me"

Or

"Achievement unlocked - Reverse engineering"

[Sherlock Holmes]

I was walking to my car at a client's site, and spotted something in the melting snow on the ground in the parking lot. It looked like a USB drive, but on closer inspection, I was some kind of weird 4-pin module with maybe an IR LED on the end? It's powered by a PIC 12F629 8-pin micro, and there's not much to the circuit. I drew out the schematic, but it didn't give me any further clues what this might me. Neither did the part number on the board reveal anything helpful.

If it helps, this client is a government-run research center for chemical engineers/scientists. I wouldn't be surprised if this is some kind of widget that fell out of a piece of specialized lab equipment.

Any ideas what this is used for?

You "found" that while on company property and didn't hand it in to the reception desk?

[Psi]

Plot twist, his client put it in the path to his car on purpose and it's part of a security check on him.

[SeoulBigChris]

Good point. It was in an area used for trash and recycling, and there is an huge building under construction using the same area. I did entertain the notion that it might have come from an odd piece of construction equipment or tool. In my defense it was late Friday afternoon and everyone had gone. I’m going to report it to one of the employees Monday. I was hoping that a search of the part number would what say what kind of equipment this came from. When that failed, and I saw how simple it was, I drew up the schematic and posted here just as a long shot someone in case might recognize it

[SeoulBigChris]

Funny you say that. Just last week I found the equivalent of a dollar bill on the stairs and turned it in to one of the employees. I think I’ve already passed that test. Unless it’s a multi-stepped test. Maybe next week they’ll test me by leaving a calculator in the bathroom 8-)

[Sherlock Holmes]

Good point. It was in an area used for trash and recycling, and there is an huge building under construction using the same area. I did entertain the notion that it might have come from an odd piece of construction equipment or tool. In my defense it was late Friday afternoon and everyone had gone. I’m going to report it to one of the employees Monday. I was hoping that a search of the part number would what say what kind of equipment this came from. When that failed, and I saw how simple it was, I drew up the schematic and posted here just as a long shot someone in case might recognize it

Things will get weird when you see a manufactured date of 2030...Dr. Who might have been in the area!

[ralphrmartin]

I'm going to laugh if he powers it up and it spits out over UART/IR
...

Or after decoding, "You have solved level 1 of the GCHQ Xmas Quiz, hardware version. To proceed to level 2, ..."

[coppercone2]

could it be a espionage device used to bridge a air gap?

Maybe it tapped into some data stream to broadcast it. Hard to find with a RF bug finder and also now all the phones and stuff have firmware for IR reception so you might just need to walk by this thing with a phone to get a burst transmission (more complex). 

[coppercone2]

I have a crazy idea. Put a multimeter diode test on the LED to see if its infact IR or not. Because its probobly a generation 16 "blinky".

[coppercone2]

and it might be a diagnostic tool to put into a port to see if it gives you the correct pattern for some hardware they were testing. Thats common for programmers to make it so there is a visible trace for fast trouble shooting, but if its IR it seems like a communication device, or maybe its something to connect to a chemical test equipment (PH meter download, etc), part of a larger DAQ system for facilities maintenance or whatever, so they can upload logs at the end of the day (i.e. daily check to verify room temperature is correct, or that fume hoods are working, plating tank is not contaminated, stuff like that).

If I ran a facility I would consider that kind of thing to homogenize the QA process between different equipment, because you always get screwed by things that have custom drivers, different file formats, etc. I.e. if you have gossen, fluke, extech, cole-parmer and 3 more companies equipment floating around all the time. Windows update = facility shutdown.

The serial number on it makes me think that its not a toy/hobby project/etc (their usually kinda cute, no one would put a random ass part number on a DIY project, people would think you took it out of something).

[DavidAlfa]

Try reading it!

[Fred27]

"Dropping" a USB device in a car park is a fairly common social engineering hack. It's normally just a memory stick with a virus, but doesnt have to be. A lot of people plug it in to see what it is out of curiosity or trying to return it to its owner.

I'm not saying that's what it is, but it's best to assume the worst until you're sure.

[thm_w]

"Dropping" a USB device in a car park is a fairly common social engineering hack. It's normally just a memory stick with a virus, but doesnt have to be. A lot of people plug it in to see what it is out of curiosity or trying to return it to its owner.

I'm not saying that's what it is, but it's best to assume the worst until you're sure.

But there is no USB connection on this at all.
Whats it going to do, send out a IR code virus and replicate itself on your TV?

[SeoulBigChris]

Quick update, I had a brief look during a break yesterday at this widget. Hooked it up to my oscilloscope and a serial port on my computer. Here's what it does on power-up:

• Brief initialization pause, about one second-ish
• The LED-looking part is a yellow/orange LED
• It starts flashing on/off
• It sends five bytes at 9600 baud: 0x7F '?' '3' '0' <LF>

At first, I tried just typing random letters over the serial port but got no response. Looking at that 0x7f, I'm thinking that must be a sync character indicating beginning of frame.

At this point, my time was running out, but I pounded out a short Python script to begin sending stuff programmatically. And then I accidentally unplugged my computer while adjusting the cabling, and that was the end of the experiment for yesterday.

Any suggestions on what to send in such a script? I was thinking trying to mimic this response message, like 0x7f + character + <LF>, then repeat with two characters, etc.

What could it do? If indeed this only flashes a light. Why is there a serial port at all? Is it meant to flash different codes which you send over the serial port? I'm still puzzled.

[SeoulBigChris]

Let me clarify, this was on the way to the parking lot, not in the parking lot. That place is adjacent to a small loading dock, which seems to serve as a staging area for huge piles of trash and recycling. It would be more accurate to say that I found it in the trash.

And it wasn't a USB device, but just a four pin serial port. Funny, it is exactly the same pinout that I'm using in a couple of circuit boards I've made for this project, so it was easy to plug in a test.

[Bicurico]

My guess is that this module belongs to a device that sends data through IR.
For that it receives a message over the serial port, for instance a reading, which is the periodically sent through IR. For example a counter.

But of course this is just me guessing.

[Neomys Sapiens]

REPORT TO VOGON CONSTRUCTION AUTHORITY: The project is proceeding on schedule! Another planet has flashed the predetermined code that it is ready for demolition! Hail the Vogon Construction Authority!

[AndyBeez]

Quick update, I had a brief look during a break yesterday at this widget. Hooked it up to my oscilloscope and a serial port on my computer. Here's what it does on power-up:

• Brief initialization pause, about one second-ish
• The LED-looking part is a yellow/orange LED
• It starts flashing on/off
• It sends five bytes at 9600 baud: 0x7F '?' '3' '0' <LF>

...

Some suggestion of an intelligent lifeform in the bit pattern - assuming Unicode.

Code: [Select]

> : 7F : 01111111
? : 3F : 00111111
3 : 33 : 00110011
0 : 30 : 00110000
< : 0A : 00001010
Maybe try pinging it with AT codes. "AT&V" is view configuration

Maybe it only responds to K-Pop?

[SeoulBigChris]

I dumped the hex file last night, disassembled with gputils, and had a glance. No "ah ha" moment yet. I did learn there are 5 different text messages this thing can send, but they aren't much help:

Code: [Select]

; msg_000 sends: ?30
; msg_001 sends: 259000059
; msg_002 sends: 256000056
; msg_003 sends: 1280129
; msg_004 sends: ~OK
I also realized that I'm assuming the digital input pin is serial data, like the output pin is. But that is just an assumption so far. It could be something else, like a pulse train or pulse width. It's also not helpful that this 12F629 doesn't have a UART peripheral, so the serial port is handled by bit-banging.

It seems to be writing something to the EEPROM based on the input. Could it be some kind of very tiny data logger? The non-volatile storage on this chip is only 128 bytes, not much room to store logging data.

Maybe it is one of those evil widgets that disables your printer / toner / copy machine after so many cycles?