I acquired the Trivial Pursuit – Digital Choice Edition game at a local target for 10$. It’s an interesting little device, with an b&w LCD display, usb out, 16mb internal storage, and the ability to download or create your own questions… on windows only (ouch).. Turns out it’s an interesting device. Here’s what I’ve been able to find out so far.
Plugging it into my spare linux box (trusty old ps3…) I found that the device is recognized, but the partition is not. As it’s only a 16mb partition, it shouldn’t be hard to get a good image. I first copied it straight to a file with sudo dd if=/dev/sdb of=/home/hunter/Desktop/trivp.img
I began to browse the interface on the device itself. It begins with a scrolling Trivial Pursuit image, and 2 options, ‘instant play’ and ‘choose and play’. ‘choose and play’ apparently requires registration through the software at www.mytpchoice.com. Might be interesting to see how they package their question format, but first I’ll make an existing device image.
The questions are divided by category ala trivial pursuit the regular game. Selecting a history question, I get “What Beijing locale spent 12 cents per was to remove 600,000 wads of gum in 2002″. Beijing is a pretty unique character sequence, so later on I may search for in the image. Opening the image as a binary in vi with vi -b trivp.img showed a sig in the first line, SITRONIXTM. This is the same “fake usb storage” controller used on many lcd photo frames with windows-only drivers. There’s a linux program here to retrieve the images, I’ll use this as the basis for my interaction with the device.
First you’ll want to load up the tp device as a block device, so we’ll add a sitronix system group withaddgroup --system sitronix, then add your user and root to that group. You may want to have udev-extras installed. We’ll need to find the usb vendor and product id for the udev rule, so run lsusb. My output looked like
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 004: ID 3078:c081
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
So the vendor id is 3078 and the product id is c081. Add the following line to /etc/udev/rules.d/10-personal-rules.rules, allowing us to mount it as a direct block device
KERNEL=="sd*[!0-9]", SYSFS{idVendor}=="3078", SYSFS{idProduct}=="c081", SYMLINK+="sitronix", BUS=="usb", NAME="sit_%k", MODE:="0660", GROUP:="sitronix" You may also need to “sudo modprobe visor” to ensure the rules directory is being watched. Make sure the block device is created with an
ls -al /dev/sit*Mine looked like:
brw-rw---- 1 root sitronix 8, 16 2009-10-10 13:19 /dev/sit_sdb
Now that I knew I had direct block access, I began to look through the image file in a hex editor. At 008fed83, I found H.a.s.b.r.o. .T.r.i.v.i.a.l. .P.u.r.s.u.i.t. .T.r.i.v.i.a.l. .P.u.r.s.u.i.t..$.......Trivial Pursuit 0.01..........SITRONIXTM then a bit later TP_GAME. It also looks like there are a lot of ‘<' and '>‘ characters, probably some XML-like structure. The above blocks are repeated many, many times, so I assume they are the individual question structure. It appears that SITRONIXTM is the begining of question structure, and the H.a.s.b.r.o. is the end, then it repeats to another block.
From here I copied the first block to a file called question1(from 00000027 to 00007e24). This is a bit easier to work with. I then copy out the second block to a file called question2header (from 00007e24 to 0000BE20). Doing a diff on question1 and question2header revealed the “meat” of the question, a encrypted or compressed bunch of bytes. From here, I’ll load up the windows application, and start to do some reverse engineering if possible.
After loading up the windows application, you plug in the device and it downloads all the questions from the device to your pc. Then it does an “updating your handheld”, whatever that means. A subsequent dd of the block device shows no changes from the previous image. The questions and corresponding keys (encryption keys? answer keys?) are stored in Application DataHasbroTrivial Pursuit ChoiceMy Questions and your custom questions are stored (separately) in a folder under that. This is interesting, and may afford us some codebreaking opportunities later.
From error messages, we can deduce category names may be 12 characters total. The combined length of a question and answer together may not be more than 160 characters. This is great, as it tells us that they are using a fixed question size on the device, and there will be some padding (later confirmed). This will simplify things some. First I created a category called aaaaaaaaaaa. I chose 11 because it’s a nice odd numbered prime. A file named aaaaaaaaaaa_(myserialnumber).tpc then appeared in the application data, containing Wild|My Questions|aaaaaaaaaaaa|en-US|0|1.0. Next I rebooted into linux to check if the block device had changed. This will tell us if categories are stored in some internal rom or on the fs. The md5 sum remains the same, which means it’s stored not on the block device. Unfortunately, this will preclude any linux client until we snoop the file mapped io commands the windows usb client is sending. On the other hand, we can still get a lot of useful info and perhaps determine the file format and file compression scheme. This would allow windows users to share question libraries between each other and facilitate free online question libraries. Hasbro doesn’t seem to be making any progress on this front so we may need to do it ourselves, as usual.
In the windows interface I wanted to see what types of questions were allowed in the database. Once you have added custom questions through the software interface, they are selectable as categories/questions in the menu selection on the device itself. A 41-character word does not freak it out, nor does a repeating of 50 words. All quotes seems to corrupt its algorithm and appears to reset the question file in windows, but did not transfer to the device. I next created a question 1111 answer 2222. This added a line to the aaaaa.tpc category file. Then I deleted that question, and made another question 2222 answer 1111. A diff comparision should tell us if the encryption/compression algorithm is performed over the question/answer as a pair or one at at time.
The diff is telling. There is a definite eof sequence. It also appears that there may be a symbol table stored alphabetically immediately before the eof sequence, as switching 1111-2222 to 2222-1111 produces the same last set of bytes but switching 3333-4444 does not. A quick matrix of the hex section shows patterns begin to appear (bad news for crypto).
1111/2222 = 36 E2 91 6D 7E CB 9D D3 1A AB D3 CE A4 84 BA 69
1111/3333 = 17 1D D5 76 A2 76 51 51 EB 9B 40 F8 ED B4 F9 C7
2222/1111 = CF 11 FA A5 2C 87 8B E1 1A AB D3 CE A4 84 BA 69
2222/3333 = 3C 79 EA 96 49 B8 47 6C EB 9B 40 F8 ED B4 F9 C7
3333/4444 = A0 C9 ED B1 2F 80 59 DB 85 C6 DF 16 DC 5A C9 33
4444/3333 = 7F 5C 6B AE C6 CD 1B 17 EB 9B 40 F8 ED B4 F9 C7
Already you can see that when 3333 is the highest number in a set, the last 16 bytes are always the same. Likewise when 2222 is the highest number in a set, the last 16 bytes are the same. This does not hold true for the 4444 case. This may be a boundary case in the mapping, so I make note of it and continue data collection. Once I’ve created enough pairs of varying sizes and frequencies, I’ll do another post about what I can find out about the compression. If anyone else is interested in this, post up your findings etc and we can get some data, check if the compression is standard across devices, etc.
Nooo! You must dedicated more time to the ZipIt!!! lol
Nice work, yet again!
hunter,
I bought a couple from target. I am now trying to figure how to dissemble it without breaking it.
Don,
Haven’t gotten one apart myself, looks like it requires a torx screwdriver. I am curious if the clear plastic is necessary to hold the buttons on or if it is just to make it easier to hold. Good Luck!
Hunter,
Monochrome + AAA batteries + USB + 16MB = interesting device.
Torx it is (T-10H worked for me). Clear plastic w/ the screws act as holder/fulcrum for both the top corner silver buttons.
After removing the clear plastic shell, next is the black shell(one battery screw and four corner screws hidden under black rubber stoppers). Philips will do for this round.
The board is a simple affair with a jumble of wires. I could not read the chip markings. My sight is failing me. USB connector is on a small break-out board. I will try to post some hi-res pics somewhere, this weekend.
Thanks for finding and sharing good things.
Hey Don,
Some high-res photos would be cool. Thanks for the good info! I am actually thinking the device has about 48mb of space on it, but only 16mb is addressable as a block device. Good to know the plastic case is actually doing something
Happy Hacking!
Friends/Hunter,
I just bought this Radica IM Me Wireless Handheld(Mattel).
. I bought 4 of them and am waiting for them.
I think there is a lot of potential for this little 2-way RF-wireless device(currently 12.50$ at amazon). It is pink but you can paint it black
It comes with a RF-USB for the PC. If we understand the closed-IM-protocol this one uses, it could be used for home automation, wireless Media control/display etc.
On second thought, if the device(Radica IM) is just a dumb terminal which only converts the RF signal into text and vice-versa, our job will be easier. (I suspect that it is so. That the IM-protocol is entirely handled by the PC client)
I like simple low-tech.
Hey Don,
That is quite an interesting device. I just picked one up on amazon as a filler for the 25 free ship requirement
Good find, I’d be interested to know anything you find out about it!
Hunter – I sent you an e-mail about some zipit stuff. I’ve been working on compiling all your various pages of instructions and all the comments into one straightforward guide for newbies and I’d like your opinion on the matter.
I sent the email to a yahoo address. If you don’t normally check it, please do and let me know.
Thanks in advance,
-Red
Hey Red,
Nice site! Very well organized. There are a couple of other folks who have reproduced the info as well, and I encourage all to re-post to SF so it’s easy to find. I consider all the information and source I post up as gpl anyway, so feel free to reproduce with attrib.
About the linux install, yeah dd will work for the disk writing. Just make sure you’ve doing it as root or with root permissions. Good Luck and nice guide!
Thanks so much for the quick response and the go ahead to continue! I’ve got a lot of work ahead to get everything together. I wanted it to be something like the beginner’s guide to arch, where everything is laid out, so I’m slowly figuring out what my sections will be like and how to organize stuff.
I’m glad the dd concept works out. I’m nearly done with the base install directions, so I feel better about moving on to things like wireless and drivers and such.
Take care, and I’m sure I’ll be back with more questions in the near future.
-Red
Sorry I’m posting Zipit stuff here, but it’s the most recent blog entry –
I’ve been fiddling with battery info, and there’s a super-simple way to get a battery monitor working for the Zipit Z2.
1. Install apmd, it’s not installed by default, although there is an apm entry in /proc
2. Once apm is installed, you can type apm for a text reading of battery level.
3. Install xbattbar and add it to your fluxbox startup script
xbattbar will display a bar of variable thickness on any side of your display showing battery level remaining and if charging or not. You can customize it by changing the parameters in the startup command, a list of those parameters can be found here:
http://www.digipedia.pl/man/view/doc/xbattbar.1x.html
if you hover the mouse over the bar, you’ll get the verbose output of apm in a little window at the center of your screen!
This was one of my major pet peeves, it’s nice to have a graphical battery monitor now!
I’ll be looking into using apm for power management in the future. I wonder if suspend/resume is possible…
Cheers!
I enjoy reading your blog. I hope you will keep posting for a long time.
Thanks Reverse Phone Lookup, you know for a spambot you’re very polite.
I was wondering if you ever got to your ‘Hacking the Trivial Pursuit – Digital Choice PT 2′?
I see that the question files are in the appdata folder and was wondering if you had managed to decrypt the question files? There seems to be a ‘key’ file with each ‘tpc’ file.
I have contacted Hasbro to ask if they have a mass import tool for custom questions. No reply yet.
Best of luck.
Paul
Hey Paul,
Nah, sure didn’t. Hadn’t received a lot of response on this hack honestly, figured I’d put it off while I make some headway on the ‘to-hack’ pile that’s ever-growing in my bedroom. As I had posted in the article, I do think the encryption shouldn’t be too hard to figure out (probably a lzma+serial key munging), but haven’t spent any time on it. If you’re interested too I’ll add it back on the ‘to-hack’ list and see if I can dig out my old spreadsheet data and generate some more useful key info. Good Luck!
Hunter,
thanks for replying. I have no skills in this area but I no someone who does. He always likes a challenge when he is re-writing other programmers games.
May take some time tho.
Thanks again
Paul
Hey Paul,
I’d be interested to know what you guys come up with. Good luck!
Great article! It’s often hard to find such well put together information that makes sense!
The design of your blog makes me to be with it always. Besides it is very informative. Thanks!
I just got one of these things and I’m very interested in getting some software to manage the questions for a Linux system. I’m not a hacking expert, but I wonder if there’s anything I can do to help.
Hey Sorceror,
Last I tried, I think I was able to get their software to run in linux under wine… but couldn’t transfer any questions over usb. Haven’t spent any more time trying to reverse engineer the device, nor have I seen any for sale of late… I am wondering if they stopped manufacturing them? Anyway, if I come across one I’ll try and pick up where I left off. Good luck!
They probably have stopped manufacturing them. I got mine for AUD $20 at a $2 shop
I got almost as far as you did in this article with my own research. I was also able to run the app in Wine without issue … except it refuses to detect the USB device
Hey Sorcerer,
Nice buy! I don’t think they were very popular. Board games tend to sit on shelves and batteries die etc etc. Shame it didn’t work with wine. Also a shame you can’t load the driver in ntldr, as I’m sure it’s serial communication and not thaaaat different from a wifi card. There’s always virtual machines bleh. Good luck!
Hi,
We got given this as a gift, and the hubby downloaded the questions about two years ago and neglected to record the username and password for future reference. What the heck do we do? Does anyone have any solutions to this? I have simple old Windows Vista, and hubby has Mac. I would love to just update the questions, but can’t get into the account which I think is really DUMB.
I don’t know who is dumber, the manufacturer of a toy that requires username and password, or the toy user who just randomly expects that usernames and passwords never get forgotten…. >:@
Hey Grace,
That is quite the sticky situation. Their site doesn’t list any way to reset the username. Is there a red ‘reset’ button below the battery compartment or hiding anywhere on the outside of the unit, maybe a small depression under a sticker? You’ll probably have to end up calling Hasbro’s customer service number at http://www.hasbro.com/customer-service/phone-directory.cfm , they’ll probably walk you some weird combination that resets the device (I’ve had a device that reset only when the batterys were removed while you were holding down the shoulder buttons… weird stuff). Good luck!
Hunter, Paul,
Did either of you ever get around to actually working out how the custom question files are stored?
I was going to write a program to make the files since the UI on the “My Questions” feature is irritating to use for any significant amount of time and I thought I’d look around the internet to see if anyone else had bothered to work out the file format for me before I started.
Let me know if either of you ever found anything, otherwise I’ll post back here when I’m done playing with it.
I don’t know if you still have your TPDC handset or if you still have any interest in the keeping it on your “stuff to play with” list, but I thought I’d post some preliminary findings related to the .tpc files.
Your Q/A Pair Matrix:
1111/2222 = 36 E2 91 6D 7E CB 9D D3 1A AB D3 CE A4 84 BA 69
1111/3333 = 17 1D D5 76 A2 76 51 51 EB 9B 40 F8 ED B4 F9 C7
2222/1111 = CF 11 FA A5 2C 87 8B E1 1A AB D3 CE A4 84 BA 69
2222/3333 = 3C 79 EA 96 49 B8 47 6C EB 9B 40 F8 ED B4 F9 C7
3333/4444 = A0 C9 ED B1 2F 80 59 DB 85 C6 DF 16 DC 5A C9 33
4444/3333 = 7F 5C 6B AE C6 CD 1B 17 EB 9B 40 F8 ED B4 F9 C7
My Q/A Pair Matrix:
1111/2222 = CF 1F EA D7 4E 2F 53 F4 B6 41 43 5E 5E 2F C0 8F
1111/3333 = 00 DD DC 48 F9 31 97 1F 1C 84 84 2E 6C 74 E5 1B
2222/1111 = 0F AE 1C 55 AB 7B F9 EF 5B 07 B6 29 48 A0 BA 2E
2222/3333 = 9A 17 C8 49 BA 74 01 04 1C 84 84 2E 6C 74 E5 1B
3333/4444 = 41 CD 76 03 2E 40 3B A5 2C 86 BA 7C E0 11 ED FC
4444/3333 = 0C 4E 74 0C 63 88 27 28 1C 84 84 2E 6C 74 E5 1B
Generating the same question/answer pairs in a category of the same name “aaaaaaaaaa” produced not only different results, but a different pattern as my 1111/2222 pair did not present the same footer as my 2222/1111 (I triple tested that those numbers are right, to make sure it wasn’t an error on my part causing the discrepancy). The same pattern
Also it would appear that the changing the header doesn’t invalidate the file, even upon relaunching the TPDG (OEM App), so the footer must not be validating the header. In fact, changing the header in mine to “Science & Nature|My Questiots|aaaaaaaaaa|en-US|0|1.0″ still shows my type as “Wild” and Category as “My Questions” despite that not being what the tpc file contains. Viewing the custom questions has no effect on the file, however any modification of the questions in TPDG resets the header back to “Wild|My Questions|whatever”. Modifying the sub-category from “aaaaaaaaaa” to “abaaaaaaaa” does however cause TPDG (only upon application relaunch) to correctly display “abaaaaaaaa”, TPDG will leave the sub-category name alone and it remains “abaaaaaaaa” through further modifications of questions in TPDG. Modifying the sub-category name still produces the same question/answer set data and footer data, so the footer data neither validates or uses the header data. I have not tried modifying “en-US|0|1.0″ in the header, but I expect the same results would present.
It also looks like the number after the underscore isn’t the serial number. Creating different categories has given me “_701933375″, “_698983703″, and “_705509234″ on the same CP with the same handset in the same session. It appears to be category name independent too, creating the category “mycat2″, deleting it and recreating it game me “mycat2_705509234.tpc” and then “mycat2_705598015.tpc”. Further looking into it shows that the number after the underscore is system uptime in milliseconds. Three created categories in succession give me “1_705658140.tpc”, “2_705660656.tpc”, “3_705670984.tpc”; my system uptime by the time I remembered the command to check it was 8 days, 4 hours, 5 minutes and 45 seconds (705945000 miliseconds).
Part of another test I started: (Shown is all data from 0×29 [begining of first question] until eof in a category with only the one question, the eof sequence is included in the listed data)
Using only the number 1 in the questions and answers it would appear that:
1) There isn’t a symbol table, or it’s compressed in with something else, since none of the end data contains a commonly seen chunk (14 – 16 appear to support this, though nothing in here explicitly disproves it in an absolute sense)
2) It would appear that things are compressed/expanded to make the pair have a length that is a multiple of 8. Not sure how, but sample 1 below contains less than 1 byte per character assuming that the EoF sig is 8 bytes
3) It would appear than, in Qs, a run of eight ones (if started from a character position that is a multiple of 8) encodes as 97C8872B205FFD10 irrespective of what is after it or the answer.
4) It follows that the same run of 8 eight characters, if started from a character position that is a multiptle of 8, always encodes the same way irrespective of what is before it, after it or in the answer. (Supported by sample 11)
5) It would also appear that not every single chacter effects the EoF sig, but the combined (Q + A) character count certainly does.
5-Note) Obviously characters do effect the EoF to some degree, since all of the matrix values above are the same combined length but different EoF sigs
6) I think that the EoF sig is generated (at least in part, serial number or timestamp in category head might seed. Is it a hash? Checksum? A CRC would be irritating.) from the final character of the answer and the combined pair length MOD 8. This would fit all of the data I see below as well as my data matrix above. Is it possible you have your EoF sig wrong for either your 2222/1111 pair or your 1111/2222 pair? If you did it would fit your data as well.
Anyway, I’m done playing with this for today. Lemme know if you have any thoughts or insight.
-| Sample 1
Q: 1111111111111111111111111111111111111111111111111111111111111111 (64 1s)
A: 1111 (4 1s)
Q/A: (64 bytes for 68 characters, ~7.5 bits per character, some are in the footer? It’s compressed?)
1| 97C8872B205FFD10
2| 97C8872B205FFD10
3| 97C8872B205FFD10
4| 97C8872B205FFD10
5| 97C8872B205FFD10
6| 97C8872B205FFD10
7| 97C8872B205FFD10
8| 97C8872B205FFD10
9| 0E12 7AA7 100F 1BC5 (Matches samples 1 & 3)
-| Sample 2
Q: 1111111111111111111111111111111111111111111111111111111111111111 (64 1s)
A: 11111111 (8 1s)
Q: (72 bytes for 72 characters, 8 bits per character)
1| 97C8872B205FFD10
2| 97C8872B205FFD10
3| 97C8872B205FFD10
4| 97C8872B205FFD10
5| 97C8872B205FFD10
6| 97C8872B205FFD10
7| 97C8872B205FFD10
8| 97C8872B205FFD10
9| C8F36C7611E522D8 (Matches sample 6 & 7)
10|5B07B62948A0BA2E (Matches sample 6 & 7)
-| Sample 3
Q: 11111111111111111111111111111111 (32 1s)
A: 1111 (4 1s)
1| 97C8872B205FFD10
2| 97C8872B205FFD10
3| 97C8872B205FFD10
4| 97C8872B205FFD10
5| 0E127AA7100F1BC5 (Matches samples 1 & 3)
-| Sample 4
Q: 11111111111111111111111111111111 (32 1s)
A: 111 (3 1s)
1| 97C8872B205FFD10
2| 97C8872B205FFD10
3| 97C8872B205FFD10
4| 97C8872B205FFD10
5| 7752CDBD5DCCDED9
-| Sample 5
Q: 111111111111111111111111 (24 1s)
A: 1111 (4 1s)
1| 97C8872B205FFD10
2| 97C8872B205FFD10
3| 97C8872B205FFD10
4| 0E127AA7100F1BC5 (Matches samples 1 & 3)
-| Sample 6
Q: 111111111111111111111111 (24 1s)
A: 11111111 (8 1s)
1| 97C8872B205FFD10
2| 97C8872B205FFD10
3| 97C8872B205FFD10
4| C8F36C7611E522D8 (Matches sample 2 & 7)
5| 5B07B62948A0BA2E (Matches sample 2 & 7)
-| Sample 7
Q: 11111111 (8 1s)
A: 11111111 (8 1s)
1| 97C8872B205FFD10
2| C8F36C7611E522D8 (Matches sample 6 & 2)
3| 5B07B62948A0BA2E (Matches sample 6 & 2)
-| Sample 8
Q: 11111111 (8 1s)
A: BBBBBBBB (8 Bs)
1| 97C8872B205FFD10
2| 59DDF12F289C3462
3| 6235D2AFDCE0B600
-| Sample 9
Q: 11111111BBBBBBBB (8 1s followed by 8 Bs)
A: BBBBBBBB (8 Bs)
1| 97C8872B205FFD10
2| DA2AF85F6D06E620
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 10
Q: BBBB11111111BBBB
A: BBBBBBBB
1| 28B25946A2230672
2| 7D253E96E264B4D6
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 11
Q: BBBB1111BBBB1111
A: BBBBBBBB
1| 28B25946A2230672
2| 28B25946A2230672
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 12
Q: BB11BB11BB11BB11
A: BBBBBBBB
1| 3CFBB8923290BDDE
2| 3CFBB8923290BDDE
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 13
Q: B1B1B1B1B1B1B1B1
A: BBBBBBBB
1| F3614D8F4107BB7C
2| F3614D8F4107BB7C
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 14
Q: BBBBBBBBBBBBBBBB
A: BBBBBBBB
1| DA2AF85F6D06E620
2| DA2AF85F6D06E620
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 15
Q: 1234567812345678
A: BBBBBBBB
1| 522A278656685775
2| 522A278656685775
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 16
Q: 1234567890acJ(?3
A: BBBBBBBB (B x 8)
1| 522A278656685775
2| 17706F46A1A66382
3| 59DDF12F289C3462
4| 6235D2AFDCE0B600
-| Sample 17
Q: 1234567890acJ(?32
A: BBBBBBBB (B x 8)
1| 522A278656685775
2| 17706F46A1A66382
3| 75F68CF3925D06E8
4| ACAACF828A91E947
-| Sample 18
Q: 1234567890acJ(?32
A: BBBBBBB (B x 7)
1| 522A278656685775
2| 17706F46A1A66382
3| 75F68CF3925D06E8
4| 6235D2AFDCE0B600
-| Sample 19
Q: 1234567890acJ(?32
A: BBBB1BB
1| 522A278656685775
2| 17706F46A1A66382
3| 678A0C8A14DE10EF
4| 6235D2AFDCE0B600
-| Sample 20
Q: 1234567890acJ(?32
A: 1BBB1BB
1| 522A278656685775
2| 17706F46A1A66382
3| 92F43891828AD10A
4| 6235D2AFDCE0B600
-| Sample 21
Q: 1234567890acJ(?32
A: 1BBB1B1
1| 522A278656685775
2| 17706F46A1A66382
3| 92F43891828AD10A
4| 5B07B62948A0BA2E
-| Sample 22
Q: 1234567890acJ(?32
A: 1BBB1B1???????B
1| 522A278656685775
2| 17706F46A1A66382
3| 92F43891828AD10A
4| C03F9879E2C8EA54
5| 6235D2AFDCE0B600
-| Sample 23
Q: 1234567890acJ(?32
A: 1BBB1B1???????1
1| 522A278656685775
2| 17706F46A1A66382
3| 92F43891828AD10A
4| C03F9879E2C8EA54
5| 5B07B62948A0BA2E
Hey 2tm,
Fantastic work! It’s quite possible I mis-copied or mistyped my 1111/2222 pair. I had given my last couple of TP’s away previous to the last Hackaway, so I don’t have one handy to regenerate.
I’d guess the system uptime is being used as an easy way to correctly order categories by last-used. This makes sense as any hashing algorithm they are using clearly doesn’t keep numerical ordering post hash.
Likewise requiring a pairwise length multiple of 8 makes me think their decrypt is either doing a shift-mod or is being munged with a set key of known length.
Very interesting stuff so far! It’s quite impressive the things a comparative hashing will bring to light. Thanks for posting! Good luck moving forward, I see good things coming from this
This device is currently being sold all over the US for around $8.00 in chains like Half-Price Books, Ollies, etc…
The problem is, I can’t even find the original software so I can write my own trivia question. The reason I’d really like to see some sort of new interface made is because it is so cheap, and because the machine has a lot of potential for party games beyond the usual TP question and answer. First off, you could make a catagory truth of dare only randomly generated, and if someone passes, you reveal the punishment (or opposite action) – you can continue this sort of theme with charades, etc…
So please, keep this going, for $8.00 – it’s well worth what can possibly be done with it.
I’d love to see the software for it do, and cant find it on the hasbro site.
Can you help me install the original software? When I first got mine somehow the OS got corrupted and we never even got to use it…? Thanks!
Still haven’t found anyone who kept a disk sadly.