Teardown time! Interfacing "Pocket Radar"

Having children warps your perspective. Totally. And last summer I spent an unhealthy amount of time being annoyed at cars racing up our narrow residential street while rambling incoherently, “Heathens! Think of the children!”

So what does one do? I think some friendly automated neighborhood traffic surveillance would go a long way. So a while back I therefore got hold of a Pocket Radar. While it does evoke the stray ‘is that a radar in your pocket’-joke it is in fact a precise, yet tiny unit. The interface is admirably simple – one big red button (BRB) which starts metering and upon release displays the speed of anything substantial hurtling towards you to within a couple of km/h. So how does it interface?

HEED THIS JOURNEYMAN: According to Pocket Radar the device is very sensitive to static discharge – mostly the pins on the RF board – so if you intend to poke around one of these you should consider an ESD work mat and proper grounding. I did my probing in winter, wearing wooly socks while sliding around on hardwood floors with nothing for protection apart from my sanguine temperament. Stupid luck, most probably.

Promisingly the unit breaks out a few pins right over the battery compartment behind a little sticker. These however proved not to actually carry data, and are probably just diagnostics. Meh.

So here we go.

Broadly the front of the board carries:

  • 1 16-bit TI microcontroller – MCU MSP430F21x2
  • 1 TI programmable DSPTMS320LF2401A
  • 4 8-bit shift registers for driving the display – "SN74AHC595PW":http://focus.ti.com/lit/ds/symlink/sn74ahc595.pdf
  • A slew of analog electronics for powering and filtering whatever comes back from the antenna.
  • 2 L324 op-amps

The back has fat pads connecting to the LCD and a light sprinkling of analog components. The bold 7 segment LCD display seems pure oldskool as do the shift registers. It doesn’t have hidden vias or mutiple layers. It’s a USPS truck. It’ll keep on truckin’ till long after the apocalypse.

Photoshop grants me x-ray specs:

Anyways, poking about a bit reveals that the DSP does signal acquisition from the op-amp / RC grid while the shift registers hang off the other MCU and do display refresh. So given:


we might just be lucky and find an available digital signal between the DSP and the MCU. Unfortunately finding out what the unit is doing could be somewhat difficult as the antenna is affixed to the back plate of the unit. The same back plate you remove in dissasembling it. Doh. But hey, the unit still powers up and pressing the BRB still still produces a random speed reading every once in a while. I’m guessing this is just noise from the hanging pins usually connected to the antenna.

Probing the DSP while staying far away from the sensitive op-amps reveals that pin 3, SCITXD, unsurprisingly sends something digital and serial to the MCUs RX pin. The TIs support normal UART, but after doing 3 captures I’m left with this:

2 different lengths of signal. Yet a total of 12 changes in sign for all of them.

The display can be set to meters/sec, feet/sec, km/hour and mi/hour. For all we know the data is coming off the DSP in a fifth intermediate format. Hoping that it’s one of the four above and counting.

The width of each pulse is 122µs = 0.122ms = 8196,7 baud. Now, 8196,7 / 2 is 4098 which seems just too much of a coincidence.

Transcribing the bits as clocked out gives us:

1. low -> 1010101011100010101000 -> high
2. low -> 10101010111011100010001110 -> high
3. low -> 1010101000101110001010 -> high

While the display readings in binary are:

86m/s –– 1010110 / lsb 0110101
283f/s –– 100011011 / lsb 110110001
311km/h –– 10011011 / lsb 11011001
193mi/h –– 11000001 / lsb 10000011

81m/s –– 1010001 / lsb 1000101
267f/s –– 100001011 / lsb 110100001
293km/h –– 100100101 / lsb 101001001
182mi/h –– 010110110 / lsb 01101101

136m/s - 10001000
304mi/h - 100110000

The repeats seem to be carrying information, but how? I stare unblinkingly at it for half an hour to grok pattern, but give up at 1:30AM. Next day I give Simen a call. He remembers a blog post he happenend upon describing an unclocked serial protocol where the recipient meters the baud-rate, by looking at the initial pulses. The repeats then carry a specific truth value regardless of their being high or low. This very quickly gets results.

1. low -> 1010101 011100010101000 -> high
mi/h 0 0 0 0 1 100000 1

2. low -> 1010101 0111011100010001110 -> high
mi/h 0 0 0 0 10 1 10 1 10

3. low -> 1010101 000101110001010 -> high
mi/h 0 0 0 1 00 1 10000

The protocol starts with 7 bits of toggling, presumably to establish a bit rate, 9 bits of data follow. Repeats are signal true, any other toggle is false. The data is in miles per hour.

This snippet of ruby will run the decoder for you – raising an error for repeats that aren’t threes is left as an exercise to the reader:

pulses = ["1010101000101110001010", "10101010111011100010001110", "1010101011100010101000"]
should_equal = [304, 182, 193]

def decode pulse
# chop first 7 bits. sync pulse
pulse = pulse[7..-1]
result = "" and cnt = 0
while cnt < pulse.length do
if pulse[cnt] != pulse[cnt+1]
result << "0"
cnt += 1
result << "1"
cnt += 3
return result.to_i(2)

pulses.each_with_index do |pulse, index|
puts "= #{decode(pulse)} // #{should_equal[index]}"
Vist 2835 ganger. Følges av 1 person.


That’s an impressive piece of reverse engineering! I bow to you, mastah.

Nye bilder