I'm trying to get this Logitech Harmony 900 remote working, but it keeps telling me the battery level is extremely low...

but if I pull out the battery and measure it with my multimeter, it says very clearly that it has 3.7volts

and the battery does say it's supposed to be 3.7 volts

So that's weird. I figure there's some problem with the contacts, or maybe the remote is just fried internally.

The annoying thing is that it's perfectly happy to be powered off the charger (even with no battery in it), so it's not TOTALLY fried

but the annoying thing is that the way they designed the shape of the charger means that the transmitter is hidden and useless.

if I could stick it on the charger AND use it I'd be fine, I really just need it for testing one TV, but NOPE they made the charger physically disable the remote's one actual function

oh hey, it's got a USB port hidden here.
maybe I can power it from this?

I opened it up. Let's take a a look at what we've got on here.

This looks like a CPU! It's an MC9328MX21SVM, that's an Freescale (now NXP) i.MX21 series chip.
It's a 32bit ARM9 chip, running at up to 266mhz.

More freescale. It's an SC13213A, which is a transceiver for the 2.4ghz Zigbee protocol.
This thing can hook up to external RF blasters, so presumably this is what it uses for that.

This is a Micron D9JVK.
What's that? Well, it's a code: Micron does a stupid thing where they don't print the part number on the thing, but then have a page where you can type in the code and get the part back.
This is actually a MT48H16M32LFCM-75:B.
It's 32 megabytes of RAM.

Hey! Chip on flex! that's always neat to see.
This is a Synaptics part, they're the same people who make those touchpads that are in every laptop... And that's what this does. it runs the touchpad.
What is the chip? I have no idea. Synaptics hates documentation.

This little chip here has very little info on it.
But it's an "LTBG" from Linear Technologies.
Possibly an IR transceiver?
But given Linear's labeling, it could also be a DC converter, ADC, or op-amp.

Check out these test points.
you've got UART, temperature, voltages, and temperature sensing

And this little chip here is a National Semiconductor VM95AC... I can't find specific results, but it may be a EEPROM?

Here's the other side.
It's got a separate LCD and touch screen, which is interesting.

And it's got two IR diodes here. I think it needs two because this has a learning mode, where you can receive remote codes with it, and it can then replay them later.

The buttons have this little plastic shield over them, with holes for the membrane to poke through.
I'm not sure what the black square are for...

but they seem to line up with these little diodes here.
are they LEDs? but then why would they cover them? maybe the remote was just Too Bright?

Anyway, time to engage the HAX

And there it goes

I got the software connected, finally.
Fun part: it has laserdisc players in the database, but it puts them under "DVD"

hang on mom, I can't mute my TV right now, my remote is rebooting

something about how they put this in first person really bothers me

I see you said you have the f3809c.
did you mean the f3809b or f3809d?
NOPE

great. I tried both options and they both are "mostly working" but neither are 100%, and neither does the ONE OPTION I wanted.

Interestingly the Logitech Harmony Remote Software it uses seems to be java + embedded firefox.

Seems kinda like they invented Electron, but in 2009

ooh, and it uses ActiveX!
this is getting worse all the time.

ahh, nice.
So it turns out the software doesn't have a list of remote types and such... instead it requests it from the server at search time.

on the one hand, automatic updating!
on the other hand, this thing is THIS CLOSE to being a paperweight.

it's making the requests with Gecko/20060125, aka Firefox 1.0.7, released back in the Bush administration.

I sure hope this thing has proper security precautions or if anyone could man-in-the-middle it, you're forced to use an incredibly old browser.

OH WAIT IT DOESN'T USE HTTPS, IT JUST DOES PLAIN UNENCRYPTED PORT 80

I also like how it doesn't have an API.
it's just a browser. it's just a fucking browser.

this also means that the software doesn't keep any info about what TVs or VCRs or DVD players you have
it's just stored on logitech dot egg

it's actually "myremotesetup .com" which is great because it doesn't mark it as being connected to logitech at all

oh sweet jesus they didn't even configure the homepage

HEY I WONDER WHY LOGIN SCREENS ARE HTTPS?
COULD IT BE SO THAT PEOPLE CAN'T TRIVIALLY SNIFF YOUR PASSWORDS?

oh sweet jesus

let's see if we can steal a firmware image in progress, using wireshark.
I'm not even using the USB debugging, I'm just logging HTTP requests!

the update file is apparently 7 megabytes.
I don't know why it takes 10 minutes to download, then. I have fast internet

oh fuck me, it's SOAP

wait, no, the SOAP is something else.
Nevermind, something on my network is SOAPing about.

it turns out it downloaded 6 files (from a different domain: images.harmonyremote .com)
which add up to 16.6mb, so either it doesn't actually use them all, or it can't count.
or both.

so it turns out the first two files (which add up to 6.40mb) are binary, and the other 4?
well, they're a sort of... almost-RPM. They've built some kind of RPM-alike using zip files.

I'm gonna cry

they wrote the UI for this REMOTE CONTROL in flash

yeah I was wondering why this fucker took so long to boot

I wasn't able to get the main app to boot in a browser (it's probably looking for local files I don't have) but there is a vodkatest.swf file that shows it's for testing the touchscreen

Ahh! found the binary that implements flash, in the Region_14 zipfile. it's bin/flash-gf (tfw flash-gf?)

and it mentions /usr/lib/ldqnx.so.2

So this fucker runs QNX!

It's also got lua 5.1 on here. I'm not sure what it does with the lua, I've not seen any lua scripts yet.

here it is, over in Region_12/share/lua/5.1

always nice to see TODO commands in shipped hardware

It's also got a copy of luasocket on here, which is interesting: this doesn't have wifi: why does it need TCP sockets? maybe it does TCP over zwave? or over USB? https://github.com/diegonehab/luasocket

oh, of course.

because it's making HTTP requests to itself.

alsos nice to see "the following is only used for testing" and then there's no gating on if it's in a test mode.

see copyright notice in license.html... which isn't included.

naughty, naughty.

that's lua expat, which is licensed in a way where this is fine to redistribute:
http://www.keplerproject.org/luaexpat/ 

Here's the icons for devices it can control.
I like the really old-looking laserdisc player, and the TOTALLY NOT A DREAMCAST video game console

I don't know why this image is in the firmware

they left a PSD on the firmware
so I've got all the separate layers here

some files that look like firmwares and Region_1 and Region_2 are in a file that seems to be in "ETHANOL" format.
It's some kind of encoded binary but I'm not sure how it works.

the different hardware is named along an alcohol theme (like Vodka, Cognac, Hennessy) so Ethanol makes sense.

so here's a question:
The client downloaded these files:
Region_1.EzHex
Region_2.EzHex
Region_4.EzHex
Region_12.EzHex
Region_14.EzHex
Region_16.EzHex

They're not consecutive... do other files exist on the server?

sadly the answer seems to be "no".
But if you want these images, just append them to this url:
http://images.harmonyremote .com/harmonyremote/patches/61/7_5_0/

and it turns out the related files for the Harmony 1100 remote (Mine's the 900) are here:
http://images.harmonyremote .com/harmonyremote/patches/62/7_6_0/

but that one doesn't have a Region_16, it instead has Region_31

There's a bunch of references in this firmware to something called "ECNET" but I can't find any other references that make sense for that. Maybe some protocol they built on top of zigbee for talking to the IR blasters?

although now that I know what this thing runs... I kinda am wondering about those test points on the PCB.
can I just hook up to those and get a serial terminal?

OH GOOD just before I thought this couldn't get any worse, it turns out that Region_12\\bin\\data_srv is an HTTPD

yeah, this thing also runs a webserver.
on the remote.

it's got a tool called fqnull which has info about transferring between the two networks (amusingly named "top" and "bottom"), which says that THIS REMOTE IS RUNNING TWO NETWORKS?

hmm, fqinfo says: "usbd-ethanol: transmitting on net-top, receiving on net-bottom"

I wonder if that means I can network into it over USB?

probably. after all, it's running a WEBSERVER

And AH-HA! I suspected this fucker had a flash chip hiding somewhere non-obvious.
It was under the LCD screen on the other side of the PCB.

So it's an STMicroelectronics NAND512R3A which is a 64 megabyte flash chip

I opened up the cradle to see what's going on in there. The answer: NOT MUCH

so it's got the main PCB which is the "VODKA_CRADLE PA1.3" from 2009-08-27.
Just some resistors and a capacitor

then it's got a little LED here.
Interestingly, this one has a datecode of 2007-10-16.

and hey, it's got a Mysterious Rectangle!
I love me a good Mysterious Rectangle.
Let's pull it out

it is a heavy piece of metal. Yep, it's just a weight.

And over here is the connectory bit.
I like that they labeled the polarity of the charger.

Interesting that there's that circle bit in the middle...

It's just a little magnet.

Hey, maybe it can be friends with the Mysterious Rectangle!

AWW YEAH THEY ARE BEST BUDS NOW

Here's what the terminals look like.
There's no separate spring, they just flex the metal piece.

To make better use of my battery-less remote I've slightly modded the cradle now, so I can use the IR transmitters and USB port while it's powered from the AC adapter

So, place your bets as to how this thing shows up when connected over USB.
Is it some proprietary nonsense?
A serial port?
maybe it's mass storage, and it just copies config files over?

IT'S A NETWORK ADAPTER!

so I was thinking I was gonna have to snoop on the USB protocol to figure out how this thing updates, but nope.
I can just dump the packets it sends!

and yep, just query it using wget.

because it runs a webserver. this thing is so stupid

So it does the data-upload differently, it looks like.
It's sending a JAR file over, possibly encapsulated in another binary stream
but it's just going to a random port (3074) instead of hitting the HTTP endpoint.

yep, it's another pseudo-RPM that's also a JAR file.

I wonder what'd happen if I put some of my own commands in the .preinstall or .postinstall scripts and do my own upload

wait, why haven't I nmapped this yet?
it might just have telnet open

oh sweet banana jesus IT IS

I'm honestly surprised it even asked for a login

And I'm in, thanks to this: https://twitter.com/markrigley/status/1251500359618527232

I should figure out how to compile new code for this thing. it doesn't have GCC on it, but I should be able to copy files over and run them

uname -a says it's running QNX 6.3.2

Despite everything, I'm still me.

I managed (by running "splash" and "reset"?) to get it into a state where it won't boot

which is a problem, because if it won't boot, it won't init USB... so I can't do anything with it. whoops.

I got it working again! don't ask how.
I've also confirmed that you can't just point the flashplayer at Super Mario Twins, it won't work.

Correction:

OH YES YOU CAN!

Sadly that one won't start until you click a button, and my touchscreen is currently not working.

So I found another SWF that autostarts, so here you go!

so to get this to work, you gotta kill the existing flash (use ps -A to find it, then kill), then you do this: (remove the space before .so)

/bin/sh /usr/local/bin/flash.sh -f flashlite-565 .so -A2 /usr/local/app/main.swf

you gotta try to run main first, because it has some Turn The Screen On magic in it, otherwise you'll be technically displaying the flash, but without being able to see it

but now I can use my remote to watch Strong Bad draw Trogdor

I like how when you run flash from the command line, it starts spewing lots of tracing from flash.
I think it's parsing XML? in flash?

BTW, I've seen a few people joking (I HOPE) about getting one of these to hack with:
if you do, don't do what I did, and remove the LCD to see if there's a flash chip on the back.
I haven't gotten the touch screen to work since I did that.

I'll have you know this is a perfectly valid way to secure your remote in the cradle and ensure it stays powered

BTW, if you're following this thread but not me, here's the spin-off thread where I'm trying to compile software for it: https://twitter.com/Foone/status/1251668490580226048