[user@n0.lol ~/em/commtech]

Star Wars Commtech Reader

10/11/16

This weekend I randomly found a Star Wars Commtech Reader at Ocean State Job Lot. It was one of three, still in it's original packaging from 1999. Having had one of these as a kid, I really wanted to figure out how it actually worked. I remembered that there was a bunch of little chips that came with Star Wars toys when Episode I came out, and if you put them on the reader, it said quotes from whatever character was on the chip. I had an idea to possibly use it was a device to scan other RFID tags, or even just a funny case for a project.

After a quick look on the FCC website using the ID printed on the back, I found that it actually operated at 13.56Mhz, known more commonly today as NFC. A lot of the technical information on the device was actually listed as confidential, due to a lot of patents that were still pending to the design company Innovision at the time their FCC license was granted. I did get a blurry picture of the board, which was slightly different from what I had (mainly the chip marked LM5827) even though the board revision number was the same on both.

The reader itself has two built in sound effects, and has slots for four sound effects to be stored to replay later. It came with a chip that had four sound effects (including a thought provoking monologue from Jar Jar Binks). I was curious as to how the samples themselves were triggered within the reader. A typical application for an RFID reader like this would involve having an ID programmed into the chip, and have the reader take that ID, and play a corresponding sample from an EEPROM. This didn't make sense to me, with the reader having 4 slots to "save" quotes to the reader's memory, but hey, this could be a matter of simply assigning samples to the keys.

Trying to figure out the mystery without any schematic or technical description, I took it apart to have a closer look at the board. As expected, there were some ASIC's hidden under epoxy, as well as two chips with absolutely no data sheets online. One of them, labeled CSM04091N, was the big difference between the board and the prototype on the FCC application. The other, marked "311 912" is likely an LM311 voltage comparator, seeing as there are only 5 out of 8 pins connected to the board itself.

I was able to spot that there were two Motorola logic chips, a Quad Input AND Gate, and a Quad Input XOR Gate. Seeing these kinds of chips in here was kind of puzzling, as they were near the reader itself and usually logic functions are done in a microcontroller. JK - This is 1998 we are talking about...Definitely used in comparator phase of the reader.

The RFID tag itself was even more opaque(Shown above), with just two capacitors, an epoxy glob, and a thin antenna around the entire board. It did however, include something very useful: two patent numbers!

Jumping on google, I quickly located the patents related to this technology. What I found was actually a lot more fascinating than I expected. This device is essentially an early form of the NFC technology we use today. It seems that chips use resonant inductive coupling to receive power from the reader, as well as have the ability to both send and receive data from the reader. I even found a block diagram of the RFID chip, and noticed that it included an EEPROM (for storing data) and two binary counters (likely for cycling through addresses in the EEPROM). The specific type of EEPROM, 93CL66, is a 4K Microwire Serial EEPROM. This would allow it to potentially store some compressed audio to transfer to the reader.

I was actually shocked by this. I didn't expect the actual audio data to be stored on the chip, and transferred wirelessly, on a toy from 1999. This same concept is just recently being implemented on a wider scale, in NFC payment systems and file transfers between phones.

The data is transferred from the chips using phase-shift keying. This works by transmitting data via tiny radio pulses that change the carrier signal generated by the reader. The smaller changes in these are compared to the original signal, and the differences in the phase are converted back to binary code. The logic chips help with the comparing and converting aspect of this, which is why they are near the transceiver on the board. After the signal is converted to a PWM signal, it must then be written to RAM, and is further processed and amplified to be played out by the speaker. Then, if the person wants to save the audio data, they can save to an EEPROM somewhere on the board.

An interesting feature that I see mentioned in the documentation of the Star Wars reader is that there can be "conversations" between chips, with new samples triggered by having two specific chips read one after another. This means that there must be more than just one way communication from the chip to the reader, but that there could be some logical programming that tells the chip to select a different sample for playback.

So I guess the next step is to scour my parents house for any chips that I might have forgotten about in the Y2K doomsday fever. I want to maybe decap some of these chips and see if there is any way to read or write to the EEPROM chips on there. It looks like there are potentially some test pads underneath the epoxy for factory programming, who would fabricate a chip with the sole function of playing a Jar Jar Binks quote??, and I want to explore that more. There's also the option of testing the PWM output on the XOR chip that could be sniffed as well. I happen to have some Microwire EEPROM chips similar to the 93CL66 that I could potentially use to build my own NFC chip to transfer samples.