1. Jim Rafferty jmr402@psu.edu 814.866.0537
:CueCat
howstuffworks.com
Jim Rafferty

2. What is the :CueCat
A CueCat is a “free” barcode scanner given out by Radio Shack that plugs into the PS/2 port on your computer.
The word free when dealing with the CueCat has to do with price. But Digital Convergence (the company producing these readers) encrypted the output in hopes they would only work with their software.
There is also an issue with what is sent as output after reading a cue, part of it is a serial number which could have been used to keep track of what you scanned. An early form of a new spam perhaps?

3. What is the :CueCat
Digital Convergence's mouse-sized "CueCat" device would have allowed consumers to scan special barcodes within articles or advertisements, called "cue codes," and be transported to related web sites, with the company acting as a central switching point.

4. What’s Inside?

5. What’s Inside U2: Quad bilateral analog switch U3: BiMOS Op Amp
U4: Quad General Purpose Op Amp
U5: Serial EEPROM
U1: OTP Microcontroller

6. Performance Description
The :CueCat is a PS/2 device so it acts just as a PS/2 keyboard would.
The pin layout of a PS/2 device is as follows:
DIN
Signal 1
+KBD DATA 2
Reserved 3
Ground 4
+5.0 Vdc 5
+KBD CLK 6

7. Performance Description
Traffic on data and clock lines is asynchronous just like a keyboard, if there are no keypresses or scanning in this case, no traffic.
Both lines are high when there is no scanning.

8. Barcode 101 A barcode is a system of bars and spaces.
One way to encode the data is by varying the widths of the bars and spaces
There are many types of barcode schemes that stem from the idea of varying sizes, one popular one is the Universal Product Code (UPC).

9. Barcode 101
A barcode consists of two major parts, the machine-readable code and a 12-digit UPC number.
Normally the first 6-digits are a manufacturer’s identification number. And the next 5-digits are the Item Number. And the last digit is a checksum.

10. The UPC Checksum The checksum is calculated by the following method.
(1) Add up all the digits in the odd position. There should be 6 numbers.
(2) Multiply that sum by 3.
(3) Add up all the digits in the even positions. There should be 5 numbers.
(4) Add the sum of numbers in positive positions to the value in step 2.
(5) Take the resulting value from step 4 and add to it a value which makes it a multiple of ten. The value you add to result is the checksum digit.
Each time a UPC is scanned, this algorithm takes place. If the checksum doesn’t match then there is a problem with barcode.

11. UPC Details
The initial digit in the UPC deals with the type of item you are dealing with.
2: Random-weight items (fruits, vegetables, meats, etc.)
3: Pharmaceuticals
4: In-store marking for retailers (A store can set up its own codes, but no other store will understand them.)
5: Coupons
6: Standard UPC number

12. What is a “cue”? A printed element that can be scanned by the :CueCat
The cues use a Code 128 coding scheme which is just another scheme which varies the space and bar sizes.
You would have found a cue in a magazine for example.

13. The :CueCat’s Output
The CueCat emits keyboard scan codes which are then interpreted by the computer’s BIOS.
The encrypted data looks like the following:
alt+F10 .C3nZC3nZC3nZCNzYDNPYC3nX.cGf2.ENr7CNz0DxjZD3rZDNzWENP6. <enter>
The information above is seperated with periods. The first section is the header, the second is the serial code for that particular cat, followed by an encrypted form of the barcode used, and finally the data for the barcode.

14. The :CueCat’s Output
The numbers you would normally see at the bottom of the barcode are encrypted in the previous slides code.
A base64+XOR system is used to scramble the CueCat's output.
The previous encrypted data set is actually ~>   IB5   after decipherment.

15. Information For more information:
(this site teaches you how to hack your CueCat to sniff for wireless keyboards with a few extra chips.)