The Blog Behind the Myth

Hello everyone.

I created a pretty extensive document so far on the breakdown of how the Ubisoft Battletag system works, it’s internal components and gathered a ton of resources for the hardware / software so far. I am putting it up now for public consumption, and will have to sort through the resources I gathered and upload those as well.

The more people we have that are interested in this, the more people that can help.

The last bit that is the major roadblock is the Hex Code which is how the game code interacts with the physical hardware, how the lights on the gun work, how much health you have etc.

—

Ubisoft Battle Tag RFID.

(Adding this as a note.)

Found the actual specs on the FCC testing reports.

There were 2 documents one for the “laser” section, testing the infrared.

And the second was testing the RFID, which said it was 13.56MHz!

Ding, big clue. Not the 125 KHz low frequency cards, it was using the 13.56MHz High frequency cards.

Yeah it seems like it is reversed, you might think 125 KILO HERTZ is Low? Yes, we’re so used to thinking in Kilobytes and Megabytes that we don’t remember that MHz in Radio waves is the distance between peaks, so at 13.56MHz the distance between peaks is much much shorter than at 125Khz.

That is why FM radio is in MHz and AM is in KHz. AM (KHz) travels much farther like Bass travels greater distances, as opposed to Treble (MHz) which drops off quickly because of the tighter peaks.

13.56MHz rfid can transmit data at a much higher rate as well.

( 125 Khz / 13.56 Mhz)

1. Range : Less(few cms) / More (around 1 Meter)

2.Technology: Vicinity coupling / Near field coupling

3.Antenna : Quite large / Compact

4. Use : Limited /Wide applications

5. Cost : Cheaper / Some what costlier than 125Khz

The 13.56MHz rfid cards/chipsets are actually used for NFC (that newfangled payment method, or if you remember or use one that “speedpass” for Mobile) (Though the “speedpass” is encrypted, which mostly can only be done on the 13.56MHz rfid chips, there are ways for 125KHz chips to be encrypted as with the basic encryption that the tags for animals have)

The danger with using 125KHz rfid with payment information is the distance, since the frequency is higher you need a larger antenna because the waves drop off faster than 13.56MHz and it’s slower dropoff. If you used a HF 125KHz chip with personal information on it, you could use a higher powered small antenna (palm of your hand setup) to scan tons of people’s information and decrypt it later on.

Now with that out of the way on to the good part.

Progress: Leaps and bounds!!

Rfid scanner came in the mail today 4/18/2012.

Got home scanned the bases #1,#2,ammo(2count), ammo (4count), and the T-blaster.

Altered and tested the code.

Created Base #3, #4, medkit #1, medkit #2.

Tested with T-blasters. (55)

Holy Crap it Works!

It was simple enough to deduce what the code would be for base #3 and #4 from the following.

Base #1 (red)= 50 00 00 03

Base #2 (blue) = 51 00 00 03

Ammo (2 count) = 40 00 00 03

Ammo (4 count) = 41 00 00 03

My choices would be, maybe the med kits are 60 and 61? 70 / 71?

But after trying 52 and 53 for base #3 and base #4 that pointed to the medkits being in-line with the ammo packs.

Medkit #1 is 52 and Medkit #2 is 53!

Here are the actual card scans, I read from Base #1 and Base #2, and since I have 4 bases of each type I though…

Well I might as well see if I can actually rewrite one of these.

Needless to say I was able to re-write the bases.

(taking care that I labled them and wrote down their original code along with saving formatted backups of each first)

=======================

Un-written #1Serial: 8025A2C15EBE04

00 01 02 03 first section is part of the serial, underlined.

04 BE 5E 6C

C1 A2 25 80

C6 48 00 00

00 00 00 00

FF FF FF FF data starts after this

00 00 00 00 like a header.

50 00 00 03 sparkly bits that show what the id is (50 in this case means Base #1)

00 00 00 00 garbage bits, the rest of the “card” is empty past this point.

00 00 00 00

=============================

Un-written Base#2(blue) used to write the #1 below.

Serial8425A2B913DA04

00 01 02 03

04 DA 13 45

B9 A2 25 84

BA 38 00 00

00 00 00 00

FF FF FF FF

00 00 00 00

51 00 00 03

00 00 00 00

=======================

Re-written #1Serial: 8025A2C1254D04

00 01 02 03

04 4D 25 E4

C1 A2 25 80

C6 48 00 00

00 00 00 00

FF FF FF FF

00 00 00 00

51 00 00 03

00 00 00 00

(It scanned as if it were Base #2 (blue) !!!!)

================

So I grabbed extra ammo 2 counts and re wrote those from:

ammo 4 count

40 00 00 03

ammo 2 count

41 00 00 03

To:

42 00 00 03

and

43 00 00 03

Loaded up the game with 4 controllers, team deathmatch all bases and medkit/ammo packs.

One gun on each team, started shooting and scanning medkits and respawn bases at Base #3(yellow) and Base #4(green)!

Test works perfectly.

Then I just re-wrote the bases and ammo packs back to original code. Test with the scanner again, works fine

====================

So with this information, I need to get Mifare UL (13.56MHz) cards (that is the type of card that the bases actually are)

I tried to re-write the 4 cards I got (Mifare 1k, and Mifare 4k) with the code from the bases but it didn’t work.

Well my next “shipment” comes in Friday with a different chipset of Rfid scanner, arduino, and several types of rfid cards.

So the testing and more fun to be had!

=====================

Next up Game Decoding/Coding in LUA.

Btw if you haven’t checked out LUA seriously it is free and small (my download was about 25 mb!)

I’m using the SciTE program as a viewer/ coder.

http://www.scintilla.org

Lua is available for free

http://www.lua.org/

http://code.google.com/p/luaforwindows/

=======================

I’ll post more about some of the code.

A little more on the hardware I’ve found.

The Ubiconnect base station.

At first glance it isn’t terribly impressive.

It has a USB cable going to it and an obvious target (you have to shoot it during the tutorial)

a few led’s that light up, and no speaker.

I opened it up and checked out the cheaaaap antenna they made (but it works with the sub 1ghz formula (you don’t need more than 7 inches when its 900MHz fat!)

I looked up the small chip that was onboard, well it was the Largest chip but it is only about 5mm x 5mm.

It is a really impressive piece of hardware I have to say!

Texas Instruments C1111-F32

http://www.ti.com/product/cc1111f32

Handles 500Kbps bi-directional wifi.

USB 2.0 plus all the below information.

CC1111F32

Frequency (Min) 300MHz, 391MHz, 782MHz

Frequency (Max) 348MHz, 464MHz,928MHz

Device Type System-on-Chip

Flash size (KB) 32

RAM size (KB) 4

Data Rate (Max) (kbps) 500

Operating Voltage (Min) (V) 3

Operating Voltage (Max) (V) 3.6

RX Current (Lowest) (mA) 16.2

Standby Current (uA) 0.3

Wakeup Time (PD–>RX/TX) (uS) 330

Modulation Techniques 2-FSK, GFSK, MSK, OOK, ASK

Sensitivity (Best) (dBm) -112

TX Power (Max) (dBm) 10

Programmable Output Power Ranging From (dBm) -30 to 10

Antenna Connection Differential

After seeing the above specs, I was really impressed, not to mention it made perfect sense why it can just be powered over USB with min and max voltage hanging around the 3-3.6 volt range. (USB pushes about 5volts max roughly, yeah I know there are some “high powered” usb ports that can push 12volts, but you’ve seen how slow your phone charges on the computer rather than plugged into the wall….5volts nuff said)

So I was looking into that chip more thoroughly because I want to use a higher gain antenna on it.

I needed to know what the current dB was, what the current sensitivity in dBm was, max TX power dBm and voltages.

I don’t want to fry the chip by pushing a +90dB antenna with it.

Though that does sound awesome

(Ok so, I know I’m not going to be amplifying it through the onboard equipment, I’m essentially going to be powering the antenna off another usb port..if I get a powered antenna.)

With that said, I do have a couple smaller dB antennas lying around that I need to do some simple modification to….aka cutting the fitting off of the end and soldering 2 wires to the existing antenna.

And then range testing and power testing with applications.

Not like I don’t have 4 bases…soon to have 6 total bases available.

(and interesting enough in 2008 Wireless USB started coming out, which might be harder to find but might also be an option)

http://www.gefen.com/pdf/EXT-WUSB-4PIC.pdf

Projects from here.

1.Analyze the LUA code further. (I’ve already altered my code to skip the tutorial, and remove the intro video)

2.Figure out the hardware Hex code and how it compares to the LUA code (LUA Byte code and Lua code)

3.Try to develop a game mode not already in the game.

4. Create new LUA code for the game pages (the software is like a web browser, each page calls a different LUA code like how html can call CSS and javascript documents) (BTW this is sooo cool, and extremely easy compared to decompiling and rescripting hmm C++ written programs, .Net written programs C# etc etc)

5. make more bases with rfid cards.

6. record new voices for the game

etc.

(Since there has been 1 update to the game software, I can see the differences in what was updated)

ALSO!

I was just browsing through the included audio files, and funny enough the “normal” voice actor did players 1-8, but there’s a different voice actor that recorded players 9-16!

I also found the code where I can change the max players to whatever I want.

When I get my extra guns in the mail (6 more) I can experiment with adding more players

Game Mode Ideas

Now, I would Love to have a rainbow six style game mode(s) available.

(as I was writing this I started thinking of more)

1. Save the hostage!

2. Take down/assassinate the high profile target.

3. Team Fortress style classes, (right now probably just a medic class(healing shots), and assault(ammo shots). In the future engineer(can nullify or activate bases?)(capture enemy spawn points?) possibly with a turret? that would need to scan several bases to get “build” points to be able to activate the turret? Grenadier, when we figure out how to make a “grenade” function work. Sniper, when we build a gun / rifle extender that can focus the beam more than 75-77mm(currently))

Greg mentioned having a Nuke end the match That technically is doable, we can have a game mode that you have to “disarm” a nuke and if you can’t get to the enemies base within a time limit the nuke goes off and everyone’s health goes to zero, or the attacking team gets wiped out and has to go back to respawn.

(the nuke sound can easily be added to the game, when he’s counting down 5,4,3,2, BOOOOOOM)

Do-able now or soon.

1.Making more bases with rfid cards.

2.Work on amplifying the antenna with existing external antenna(s) {yes gramatically correct for RF antennas}

3.read up on lua coding and hardware coding.

4.examining existing game code an byte code (the Texas Instruments documentation gives all of the starter code needed for interfacing with the hardware, I can “remove” that part of the code since it is needed every time you want to have the base station talk with the guns)

5. Put together price points for selling rfid coded bases / keychains/ etc.

6. Find throat mics that are not expensive but have good quality. (also headsets/ earpieces that have volume control, the walki-talkies are kindof loud)

7. Add volume control physically to the guns (in game they can be turned down or muted!)

(find more people to add to this note!)

(include pictures / screenshots of code)

PCB of Ubiconnect showing the TI C1111-F32 chip

*Update 4-25-2012 (early ass o’clock in the morning)*

The gun uses the exact same chip by Texas Instruments. (makes sense since they bought them in bulk for this project = lower hardware costs)

So the “protocols” used in basic send the light schemes, readouts of the guns / team selection / player number etc.

The code from TI will help take out at least the standard “hey I’m starting communication wanna talk back to me?” preamble which is around 10 lines of code (give or take a few lines)

Then from there I’ll need to figure out what each set of code does, hopefully all of the codes are listed within the TI product manual.

I’m thinking that the majority of codes are just:

1. what bases are used and what they do.

2. starting health, lives, ammo / clips, player number, number or team designation.

3. time to count down for the start of the match, and time to count down for the end of the match.

Actually that should be All of the code.

I don’t want to speak too early, but that actually should be relatively simple to figure out.

Since there are about 8 or so different game modes, and they did 1 update so I can see the differences from before and after the update and what they changed.

Luckily it is not a complex coding language that needs to be translated like from binary to hex to ascii before I can read it.

It is written in essentially plain english, and then it has a set of bytecode that goes along with it.

Example from “Free For All” bytecode. (the first 41 lines look like this)

0×12,

0×53, 0×43, 0×30, 0×35, 0×00, 0×00,

0×53, 0×43, 0×30, 0×33, 0×00, 0×00

,0×41, 0×53, 0×48, 0×54, 0×00, 0×00,

0×53, 0×57, 0×35, 0×36, 0×00, 0×00,

0×53, 0×44, 0×31, 0×33, 0×00, 0×00,

0×53, 0×57, 0×32, 0×32, 0×00, 0×00,

0×53, 0×43, 0×30, 0×38, 0×00, 0×00,

0×53, 0×43, 0×30, 0×32, 0×00, 0×00,

0×53, 0×44, 0×31, 0×34, 0×00, 0×00,

0×53, 0×57, 0×31, 0×32, 0×00, 0×00,

0×53, 0×57, 0×34, 0×32, 0×00, 0×00,

0×41, 0×52, 0×41, 0x4d, 0×00, 0×00,

0×53, 0×43, 0×31, 0×30, 0×00, 0×00,

0×53, 0×43, 0×30, 0×39, 0×00, 0×00,

0×41, 0x4d, 0×45, 0×44, 0×00, 0×00,

0×53, 0×44, 0×30, 0×33, 0×00, 0×00,

0×53, 0×44, 0×30, 0×32, 0×00, 0×00,

0×53, 0×43, 0×30, 0×37, 0×00, 0×00,

0xcc, 0×01,

0xcc, 0×00,

0xcc, 0×03,

0xcc, 0×00,

==================

And these have been acquired, surprisingly enough they are in the correct color scheme as well.

Wrist Watch Walki-Talkie 1

Wrist Watch Walki-Talkie 2

*update #2 -4/25/2012*

Pictures of the innards of the t-blaster (gun)

Here you can see all the components (minus the vest connector at the bottom of the handle.

The layout is pretty basic, below the main board you can make out the antenna for the rfid scanner built into the gun. (it is the vertical card in this picture)

This is the top of the rfid scanner card (the vertical card in the above picture)

Showing the wiring and chip layout of the PCB

Here you can make out the actual text on the chips.

PCB with the rf “gun” part removed. So you can better see the chips. In the middle the CC1111F32, to the right (the two chips are store and forward memory chips.) The data is literally stored and forwarded from and to there. It is like temporary memory.