💾 Archived View for bugbrother.flounder.online › projects › vusion › intro.gmi captured on 2023-04-26 at 12:49:45. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-04-19)

-=-=-=-=-=-=-

VUSION ESL hacking intro

Making a custom firmware for digital supermarket tags

So I managed to get my hands on some Electronic Shelf Labels (ESL) the other day. They looked pretty swanky with their EPaper Displays (EPD) and I thought "I could use some more EPDs in my life. What if I could display whatever I want on there ?".

Before going any further it may be a good idea to state what I want and don't want to do/achieve:

• I want to display arbitrary things on the labels
• It would be nice to do so wirelessly BUT:
• I DO NOT want to reverse engineer the proprietary RF protocol and such of the original vendor. Don't need no legal troubles
• The battery life of the ESLs need to stay reasonable, like a year or two at least
• The end results of the project need to be open-source

What are ESLs ?

Without knowing much about ESLs but it's somewhat easy to imagine how they work/integrate into a supermarket environment. The tags/labels themselves need to last for years and hence need to consume as little power as possible. The best way to go at that is to make the ESLs very dumb, there's no real reason for the tag to run an OS or anything fancy. They just need to have some kind of memory, a display and some way to receive wirelessly what they should display. The labels would be off most of the time and only wake up when new data needs to be displayed.

This means that there must an Acces Point (AP) of some kind that knows where the tags are (or to which products the tags are associated with) and that can update their display data individually. The AP also has access to the store's database, to get price updates and such.

What we're working with

The tags we have are VUSION 2.6 BWR GL440 from ses imagotag. From the product name alone we can gather some info: they are black/white/red tags and the displays 2.6" in diagonal. The label at the back of the ESLs also mention an FFC ID, we can check it out here:

FCC databe entry for our tags

No luck this time, no internal photos.. Anyway, we can still glean a few things from the FCC application:

• The tags operate in the 2404.0GHz - 2479.25GHz band, while that frequency range could fit the 802.11b/g/n/ax standard (WiFi), it's more likely the ESLs use some kind of more proprietary protocol. WiFi is overkill for such a dumb device and would also consume too much power
• The ESLs we have have very close cousins that only differ in terms of display size, the biggest one supposedly has a 12.2" EPD, yummy.

While we're browing the FCC database we can have a look at all the applications made by SES-imagotag. It's very likely that all their products share the same radio link and there's also a chance we'll get some internal photos of the AP !

Here we can find the internal photos of another ESL from the same range as the one we have:

Internal photos of a related ESL

Assuming only the PCB and EPD differ from the EDG2-0260-A product we have, we can safely assume to find:

• A TI CC2510 RF SoC running the show. More on this SoC later
• A proper socket for the EPD
• A capacitor bank to keep the tag operating when changing batteries or something
• An RFID/NFC chip of some kind
• 2 LEDs, one RGB and the other one monochrome most likely (given the 2 6-pin packages at the top right of the PCB on page 2)
• What looks like a memory chip

We can also find some info on what could be the AP for the ESLs:

Internal photos of an SES-Imagotag mPCIe AP

There we see a mPCIe card that has TI CC2650 RF SoC on it. This SoC has an RF module that is compatible with the CC2510 used in the tags. There's also a Silicon Labs CP2102 USB-UART bridge that connects the CC2650 to the USB lines on the mPCIe connector. In addition to all that we can assume that a memory chip is also present on there (the USON-like package at the top right of the CC2650) as well as a set of RF front-end chips (PA and LNA perhaps) tied to a uFL antenna connector.

With all that in mind, let's tear open the ESLs we have. The easiest way to do it is to insert a plastic blade-thing between the clear plastic cover and the outer shell of the tag. After undoing a few clips the whe PCB+EPD assembly pops out. Here's a picture of the thing (top and bottom sides of the PCB).

TODO, link to the picture

As expected, we have a CC2510 as well as pretty much the same things as the other tag in there. However, there clearly is a debug connector of some kind present on the edge of the PCB, good news !

Before tracing out the connector pinout let's have a look at the RF SoC that is at the heart of the ESL.

TI CC2510

The TI CC2510 RF SoC is a pretty simple 8-bit MCU with a packet radio subsystem attached to it. The CPU core is an ancient 8051-based thing. While that might sound like a bad thing, it's actually pretty ok, there is an open-source toolchain that can compile C for these core: sdcc. Also, the debug interface of the CC2510 MCU is well documented, the programming/debug probes are cheap+easy to find (like 15€ for a clone on eBay) and a FOSS tool can be used to upload the binaries.

A few remarks about the MCU:

• It has only 4kB of RAM, that probably wont be enough to hold a framebuffer for the display
• The radio subsystem operates on the 2.4GHz band, as expected
• The CC2510 that's on this PCB is of the F32 variant, meaning it has 32kB of flash
• It's RX power consumption is not amazing. We can assume the MCU is put in deep sleep most of the time and is woken up for a short period of time at set intervals

Previous efforts

Some reverse engineering efforts concerning the VUSION tags have been made, the most notable one is:

Extremely useful work from @andrei-tatar(github)

That's a lot of work already cut out for us ! From there we can basically confirm all the assumptions made earlier and glean info about the EPD, the NFC chip, the PSU and other things like that.

While the contents of this repo are VERY valuable, they also contain bad info and miss some entirely: the MCU does NOT support WiFi links and the "mystery chip" is a Winbond W25X128CL flash chip (see project log entry 1)

Alright, looks like we have enough information to get RE'ing and dev'ing.

Add link to project log 1