Your generous donations help keep this site online!
Info & Controversy
(disable the serial number with a simple hardware modification)
(disable its primitive "encryption" with another simple hardware mod.)
Confuse a USB
Yes, it exists
The Digital Convergence
is just a regular old audio cable
The future of CueCat
DigitalConvergence has officially bitten the dust. Now what?
Get alternative interface software for your :Cat
As you may know, there are
barcode scanning devices out in the wild. As you may
NOT know, each of these devices contains with it a potential privacy hazard--a
Globally Unique Identifier (GUID), a "secret code" that is assigned to each
scanner when it is produced, that can be used by the parent company to tell
your scanner apart from any other, and, in theory, to track your personal
scanning, buying, reading and yes, even TV-viewing habits, and tie this information
to a profile on you based on your scanner's GUID.
First, let's start with a
little background: The scanners, referred by some in the user community as
CluelessCats or, more commonly, "Colon Cats" (due not only to the odd punctuation
of the actual product's name, but also to recent
actions taken against users by its maker), connect to
your PC's between its keyboard and keyboard port. The devices allow the user
to swipe in the bar codes on books, product packaging, magazines, catalogs,
coupons and ads to be taken to a Web site related to the product (swiping
a book ISBN may take you to Amazon.com, for example). Best of all, these
devices are currently being given away FOR FREE at selected electronics stores
and through the mail. However, as you have probably guessed--just about anything
"FREE" should set off warning bells--there is a dark side to all of this.
There are three major issues of contention surrounding the barcode scanning
Tracking and profiling
The intent of the manufacturer is that companies will pay to license the ability to create barcodes in the :Cat's "special" format with their Web address embedded in them, and that advertisers will pay for ads and targeting info relating to data gathered by the software that interprets the scanned barcodes.
As mentioned, each scanner contains a unique serial number or GUID, contained on a programmable chip within the device. The software provided with the device must be "unlocked" before use, by providing information such as your name, age, ZIP code, demographics and a valid email address (hmm...) in order to receive a unique unlock code. In fact, it is in theory possible to tie each scanner from the factory to an actual name and address in meatspace:
If you doubt an ulterior motive to the barcode scanner, see these excerpts from the company's other site (which has since been taken down [pointed to the Cuecat site], for probably obvious reasons),
DigitalDemographics' parallel mission is to gather demographic and psychographic information from our :CRQ users, subscribers, and :CueCat device users. Our goal is two-fold.It goes on to say:
A cumulative databank is a compelling information tool. Ours is powered by multiple sources:See the
- Demographic Profiles
- Historical Cue Data
- Responsiveness to Relevant Information on the Tabs
- Responsiveness to Relevant Information on the On:CRQ Web site
- Polling Data
- Panelist Data (from volunteers who participate in special interest panels)
- Specific Program Cue and Scratch Data
- Survey Data from Opt-In Respondents and volunteer panelists
- Direct Responsiveness to Offers
- Cross-Media Response Profiles
- Multiple Response Profiles from Same Segment/Media
- Industry Specific Demographic profiling
A questionable End User
License Agreement (EULA)
"If you give me a claw hammer and I crack nuts with it; have I violated any of your rights?" - jodo, in a Slashdot forum
Since the scanner device is
designed and given away in order to make the parent company money, it's safe
to assume they don't want people using the free scanners in ways other than
intended, including as a product-inventory or cataloguing tool, night light,
flashlight, motion detector, etc....or especially using
it without their user-tracking software. To this end, the company has been
constantly expanding and re-wording the License Agreement bundled with the
device. Originally a standard software license to prevent unauthorized copying,
redistribution and disassembly of the decoder software, the EULA has since
been modified several times and now includes a section implying that the
free scanner hardware is also covered by this license. The revised
license goes on to say that the hardware is not actually "given" to the recipient,
but only leased--and that the company can demand the return of the device
at any time. There are several problems with this license that make its validity
We can do anything we want to with it. We can destroy it, we can pee on it, we can set it on fire, we can strap gi joes and 74 bottle rockets to it and boldly send it where no cat-shaped bar code reader has gone before. We paid for it (granted it cost $0), it's ours. -
Legal Threats against non-Windows users
As it turns out, the makers of the barcode scanner only provide interface software for Windows--the software that captures your name and email address, ties it to your scanner's serial number, tracks your preferences, etc. Some of those who received a scanner in the mail don't use Windows, and so wrote their own software to capture the device's input to the computer. The company responded by firing off loads of cease-and-desist lawyer letters warning Linux developers that Bad Things would happen if they didn't take down all their software right away. Specifically, the letters made vague references to Intellectual Property violations, without saying how any IP has been compromised by writing an interface program from scratch (known as "clean-room engineering"), or even what IP (copyright, trademark, patent, etc) had supposedly been violated. Again, there are specific problems with the C&D threats that can be enumerated:
Looks like just another bunch of crybabies with their panties in a knot because people aren't playing with their toys the way they intended, the way that makes them money.
Linux advocates and others
using non-approved interface software with the device contend that it was
the manufacturer's own
stupid idea to give away free scanners, then try to
retroactively force the recipients into contracts. (I for one am not complaining--I
applaud them for letting me stop by Radio Shack to pick up FREE electronics;
the photosensor and ultrabright LEDs these things contain will come in very
handy for my senior design project :)
See the related
Slashdot discussion, and the home of one
of the original drivers, which includes a copy of the letter.
This information is for the version that connects to your Keyboard. There is now a USB version of CueCat; and as far as I can determine, the "neutering" instructions are the same (the new :Cat also uses a 93C46-series EEPROM). The USB :Cat is covered in more detail below.
"Neutering" the :Cat scanner
by disabling its serial number is fairly easy. If you like to take stuff apart,
it'll be fun, too. If you're careful, this process is completely harmless
to the :Cat (they have 9 lives, don't ya know)...but remember, if you happen
to screw up and destroy your :Cat in the process, you can always get another
one, they're free :)
Note: As with any electronic device, make sure the power is disconnected before performing any surgery on the :Cat.
Update: As long as your :Cat's under the knife, see below on enabling a hidden anti-encryption setting with a different small modification to the :Cat.
There are several models of
the scanner out there, each slightly different--so yours may not look exactly
like shown above. The board above is most easily recognized by the "epoxy
blob" in the center (older versions have a square Toshiba microcontroller
chip in place of the blob), and the words "(TM+H Rev 0.3)" printed on the
other side of the board.
You may want to check out another page, "
your CueCat declawed", especially if your board looks different from the
one above. This page contains a lot of technical descriptions, EE's out there
will really eat it up <g>.
I will cover 2 different methods of disabling the serial number, both of which are fairly simple.
Have a good look at the circuit board above. While yours may look slightly different, all versions of the device have the same/similar ID chip on it. (Update: Newer revisions of the board have a strange 5-pin chip in the place of the 8-pin EEPROM, but it does the same thing. You can probably kill the serial# on this bad boy using the same methods below, or just pry the whole chip off the board.)Remember to use an alternative input program / driver for the :Cat, and not the one supplied. Even though the hardware serial has been taken care of, the serial number in the supplied software may be transmitted for the same effect.
This is the chip marked with the red arrow above. It is an 8-pin device and, while you can't see it on the scan above, the number on the chip will be something similar to :
||||Think of it as all one number--it is simply split across multiple lines to fit on the chip. Again, the exact numbering may be different on your :Cat--but 93_46 should show up on the chip somewhere. The blue and green stuff above is not part of the number--the green represent the pins of the chip, and the blue dot represents a small dimple on the top of the chip (this will be explained later). As seen in
HiTex' Chip Directory, the 93C46 series chips are EEPROMs, or reprogrammable memory chips. (These are programmed at the :Cat factory to contain a unique code.) The pinout is available here. As you can see, pin 2 is the chip's clock signal, 3 is data in, and 4 is data out--each of these pins are necessary to transmit the code! (Getting ideas yet?). To determine which pin is which, start at the small dimple on the top of the chip (this indicates Pin 1) and go counterclockwise around the chip. I've marked the dimple with a blue dot in the image above, as in the diagram below. 8 7 6 5Pins 2, 3, and 4 are marked in red.
| | | |
| | | |
1 2 3 4
This is probably the easiest method. Using your weapon of choice (pen-knife, razor blade, X-Acto knife, etc.), pry any one of the three marked pins off the circuit board so it doesn't make contact. Or, slice through the shiny green trace that connects the pin to the rest of the circuit. On my own :Cat I severed pin 2 (CLK), but it may be easier to reach a prying tool underneath pin 4 since it is on the end of the chip. Once this is done, your :Cat's serial number will be reported as ------------------.
[Click here for the scanned image]
This is my preferred method, since it sets your serial number to 000000000000000000 (which may be easier for decoder programs to accept as a valid serial number). I've tested this to work on the 0.3 revision of the :Cat, but can't guarantee success for other versions. Pin 4 of the serial chip is connected to what appears to be a small hole through the board. These holes are actually connections to the other side of the board. Place one end of a wire into the "hole" attached to Pin 4, as shown. Attach the other end of the wire to "hole" shown, which leads into the epoxy blob (controller chip). The hole shown is recommended (since I've tested it to work with this connection), but others may also work. This effectively shorts the output of the serial chip to a predefined value--that is, whatever voltage is on the conductive "hole" the other end of the wire is attached to. (Update: Upon further investigation it turns out this is in fact a ground node, and you can achieve this effect by connecting the wire from the EEPROM to any ground [that is for you non-engineers, anyplace that is connected to the "-" terminal of the board containing the red LED lights]) Depending on the thickness of your wire, it may or may not fit snugly into the holes--try to find some that fits snugly, bend it so that it will not be knocked loose while putting the case back on the :Cat, and glue the wire securely so that it can't come loose and short out other things. If you can solder the wire where it belongs, even better, but it'll be tricky.
If following the image above, make sure you don't have the board upside-down, or it will be a lot harder finding the right hole to jumper to :)
For reference, here are some sample scans (using cat.pl) showing the GUID information removed. Each was produced by scanning the ISBN from the back of a particular book.
Clock pin severed
Data-Out pin shorted to Controller pin
NB: If you are getting inverted upper/lower case with Code 128 / 3 of 9 barcodes after performing a modification, switching the CAPS LOCK on will clear it up. The cause of this problem is unknown.
For this modification you will need:
Note: As with any electronic device, make sure the power is disconnected before performing any surgery on the :Cat.
[Click here for the scanned image]
If you can do the "Neuter"
procedure above, you can certainly perform this one too--but if you go this
route, the "Neuter" will not even be necessary because the :Cat will output
only a raw, un-encrypted barcode (no serial# or any such nonsense). I don't
claim any credit for this; I just found a detailed explanation of Jeff Dobkin's
discovery and decided to try it out myself. What you
need to do is wire the +5V going to the LEDs and other logic to a certain
pin on the board. (Note: I've only tried this on the (TM+H Rev 0.3) version because that's the one I've
got, but have heard that a similar procedure works on other models. Experiment
with the row of holes to see what works on yours :) While the board layouts
may differ, the hole connected to R29 seems to always give the proper results.
There are several places on the board to get +5V. Probably the easiest is the +5V pin of the EEPROM, which conveniently provides a hole for you to stick a wire into (marked with 2 red arrows in the image). Another good place, if you care to use a soldering gun, is to simply solder one end of your wire to the big "+" on the LED (red light) board. Anything marked +5V here can be used. Now, put the other end of the wire thru the hole marked ("Hit me with +5V"), and your :Cat will output plain old un-encoded barcodes with no special software (and/or lawyers) required. Remember, if you got this cursed thing in the mail, it is your property to do with as you please, including stick wires into it like a Voodoo Doll. (Incidentally, if you got it from a Radio Shack, and they don't find out what you're up to, it is your property to do with as you please! "Cop didn't see it, I didn't do it", I like to say.)
"Unmodified" :Cat scan, for
(Note: Not technically "unmodified"; this is the same :Cat I already neutered to remove the serial number.)
(In case anyone is wondering, this particular barcode is from a pack of CD-Rs that just happened to be within arm's reach of my computer :)
Probably the hardest thing
is finding a good piece of wire, one that is narrow enough to fit into these
holes but wide enough not to slip out, in addition to being insulated. I've
found a piece of wire twist-tie works nicely, just cut to the desired length
and slice off the paper/plastic on the ends to expose the wire. Slide these
ends thru the holes, and kink them where the come out the other side so that
they can't slip back out (& to ensure good electrical contact). Soldering
would be ideal here, but since it's a hassle and not everyone has a soldering
gun, the wire alone should be adequate.
Note carefully the side of the board you are looking at compared to the image above, and make sure they match. If the procedure is not working, experiment! The Rev. 2.1 board may actually be backwards from this, as explained in this guest article.
You'll note that there are a number of these useless-looking holes all lined up in a pretty row, you ask, "so what do the REST of them do?". Just for fun, I hit the rest of 'em with +5 (and GND) to see what would happen. A hole I applied the 5V to (which I've marked with a blue dot) 2 away from the "magic one" returned the following strange results when scanning the same package multiple times:
Each of these is of course a different swipe...running them thru cat.pl returns something like:
Rather mysterious to be getting
different results from scanning the same barcode. My own wild speculation
is that these values relate somehow to the scanning speed or a "read quality"
indication, and could be used to set R13 [amplifier gain?] at the factory).
It seems to be change from one scan to the next, and does not return values
on every scan. Anyone care to hazard a guess?
As for the other holes, none did anything very interesting--either they had no effect, or the scanner stopped working completely until the short was removed. Grounding them had no effect at all.
Note: The HO+E revision
uses a different method. Chris writes the following:
I have the HO+E version of the cuecat and i wanted to tell you that i found the proper pins for shorting out the encryption. I simply shorted J2 (Led +5) with the feed for R29 (Two holes to the left of what is shown for your version of cuecat). I hope that this info can help you/others who have this version as i think this version is harder to find info for.
Quick CueCat Modification
Solutions - details the hack for three major CueCat board revisions.
Also, an offer to hack your 'cat and mail it back for a reasonable fee.
"Cat Scans" - The USB CueCat
Contrary to the included documentation,
the USB CueCat will work with Windows 95 OSR2. You will have to download
a driver update first. Detailed instructions are
but I should forwarn you of a problem I experienced with the instructions
listed (aside from it basically saying, "Don't bother with win95, it won't
work") : After downloading the first file (USBSUPP.ZIP) the CueCat worked
on my '95 machine, but after installing the second file (USBUPD2.ZIP) it stopped
working. If it works fine after installing the first file, and does not exhibit
other problems, I see no need to install the other file.
Also remember to enable USB in your BIOS, if it isn't already. If the :Cat is plugged in but doesn't ever light up (even at the BIOS screen) this is the most likely culprit.
Anyway, there is a way to hack this :Cat to remove the serial # (same as the keyboard version), and also a hack to decode its output (just like the keyboard version). I have received a report of the "neuter" procedure causing the :Cat to reverse the case of alphabetical characters from Code128 barcodes.
To remove encryption: Find the chip marked HMS91C7316 (on the bottom side of the :Cat) and carefully cut/pry pin 5 to disconnect it from the board, as with the Neuter procedure. For those unfamiliar with pin numberings, see the diagram below.
16 15 14 13 12 11 10 9
| | | | | | | |
| K130A033 |
| HMS91C7316 |
|o 0027 |
| | | | | | | |
1 2 3 4 5 6 7 8
The blue dot represents a small circular dimple you should see on the top of the chip, which indicates Pin 1. Simply count counter-clockwise around the chip from Pin 1 for the numbers of all the other pins. Pin 5 is marked in red. Now the USB CueCat will output plain, unencrypted barcode data.
All in all, it is a decent quality mono audio cable, about 25 ft. long, with a male/female combination RCA plug (as a pass-thru) at one end and a stereo plug at the other end, the kind found on most headphones and just about anything that plugs into a soundcard. Don't let that stereo plug fool you though--it is a mono cable, with only 2 conductors all the way down the wire. Yes, I cut it open and checked, because a stereo cable would be really nice. Here is the cable, with one plug sliced off and wire end stripped.
The standard privacy warnings
apply (and then some!) to using this cable for its intended purpose of reading
CueCat audiocodes from your TV set--this is a good way to tell a notoriously
loose-lipped company what kind of TV shows you watch,
but doesn't convey to you, Dear Consumer, anything useful in return.
(What? TV commercials can send links to rich-media adverts right to my computer?
Wowie-gee-willikers, Batman! Sign me up right away!) Not to mention needlessly tie up gobs
of CPU horsepower, while the CueCat software performs realtime Fourier transforms(??)
on the incoming audio in the vain hopes of finding a split-second DC audiocode in it somewhere.
This of course doesn't stop you from not installing their software, and using the cable to copy amusing audio clips to/from your computer, or attaching a microphone to it to record sound up to 25' away. Attach a carbon mic and clip it to your bird feeder :)
Important: You may
be able to use the :Cat as a normal (unencrypted) barcode reader without any
special software at all! If you don't mind taking your :Cat apart,
see this page explaining the "secret" anti-encryption
jumper right on the :Cat's board (and/or the quickie instructions above).
Software to create your
own :Cat barcodes
"Cat and Mouse Games" Essay (Dr. Dobb's Journal)
Essay, many :Cat links
Disable :Cat's encryption right on the board!
"Cat" Scanning device may track users online
CueCat users' information let out of the bag
Consumer details exposed on CueCat site
Getting your CueCat
Slashdot Coverage and more and more
Spies on You!
CueCat: Corporate and Clueless (ZDnet rant)
Quick CueCat Modification
Solutions - Instructions for performing the "Decode" hack on the three
major boards, and offers to do it for you for a small fee.
"All trademarks are hereby
acknowledged as the property of their respective holders."
Lawsuits suck ass.