[ Home ] [ CueCat ] [ Videos
] [ Pics ] [ Lock Picking ] [ OSCAR ]
Hack Your CueCat
I recently heard about a free bar code scanner available at Radio Shack (tm). Not one to pass
up free hardware, I went and grabbed one to play with. Not one to jump right in, I checked
around on the Internet to see what could be done with my free barcode scanner - and lo and
behold, it turns out that not only was there a linux driver, but that the author had been sent
a cease and desist order!
It seems that the manufacturer of these freebie scanners didn't like the idea of people
developing decoding software that didn't provide them with lucrative marketing info. (Lets not
even mention the serial number that is sent everytime you scan something with this
Now, not one to give up, I kept doing research on the subject until I found a curious note from
a guy named Jeff Dobkin. It seems he poked around on his scanner, with board revision FM+H Ver
0.3 and found that adding a jumper caused it to output plain ASCII - and just the data, not the
serial number or type. Wow! I thought, but I have a newer rev board - the TM+H Rev 3. Would it
work? Only one way to find out - fire up the old soldering iron.
The upside is that since it can be reasonably asserted that you own the hardware outright, this
modification is perfectly legal. You don't need any additional software, either the original or
recently released drivers, to get useful output. It outputs plain text. This means that you can
use it in DOS apps, where the clever hacks don't seem to work so well. Since you are messing
with your own stuff, you can do what you like to it, even solder wires onto the PCB! The
downside, if you want to call it that, is that the reader will no longer work with the supplied
software package. (boohoo... ;)
Here are some pictures of my scanners board, with colored dots noting areas of interest.
This second image shows the backside of the board with the jumper wire.
The yellow dot covers the pad that you should jumper to. You need to apply +5 volts to this
pad, so jumper a wire from the RED LED power wire (Vled+) to this pad. Jumpering to other pads
doesn't seem to have any effect on the scanner, but also doesn't harm the scanner either. As a
side note, I suggest you "tin" the wire before inserting it into the plated hole. Tinning just
means heating the wire and letting it soak up a little solder until it looks like a solid
wire. Don't use too much solder, though, or it won't fit in the hole.
Lastly, it is possible to disable the serial number embedded in each scanner as well. If you
will notice the red shaded pads near X1 - you will discover that they connect a certain serial
EEPROM chip, a S93C46DV03. By removing the shorting "blobs", you will disconnect the serial
EEPROM from the microcontroller, effectively declawing the board. Note, if you apply the above
hack, there isn't any point in applying this one, as the serial number data isn't sent. If,
however, you want to "anonymize" your cat, then by all means - desolder those
As a side note, I have read that you can still use a reader with the serial EEPROM disabled
with the original software. By only applying this second modification, you get a reader
with no serial number at all.
Here is a closeup showing the pads that should be desoldered. Use a fine desoldering braid,
available at any decent electronics store, to remove the blobs
Note, none of the info on this page was original thought. The text clipping I made indicates a
certain Jeff Dobkin found out about this first. I found the reference at http://www.topica.com/lists/pla_upl/read/message.html?mid=1702776249
I would like to note Michael Guslick's excellent hardware discussion at http://air-soldier.com/~cuecat/.
From this site, I understood the importance of the serial EEPROM chip. Desoldering these pads
was merely an extension of this. :) Obviously, I don't need the driver software anymore, but I
did go to the trouble of understanding how the encoding scheme works - and it is terribly
simple. (laughable, if this was the basis for any kind of legal protection). There is a great
kept by Stephen Satchell regarding the encoding scheme.
Well, now you have a fully generally purpose barcode reader - you do the math. Personally, I'm
whipping up an Access database based on both the modified, and unmodified readers. The
unmodified reader can be used to provide accountability - see who changed that data by storing
the serial number along with the data!
the decryption on/off switch is different for different boards. The FM+H Ver 0.3 and TM+H Ver
0.3 both appear to use the second pad from the left. The HO+E Ver 0.2 board uses the *FOURTH*
pad from the left. This corresponds to a scanner model 05A00 - the 07A00 all appear to use the
TM+H Ver 0.3 boards.
Here is a picture of the HO+E board with a jumper wire inserted. The purple mark points to the
correct hole (though this may not be true on your board!)