LTAR TRRS Protocol

Technical talk about the inner workings of Lazer Tag Team Ops taggers and making modifications and accessories.
neuron
Posts: 29
Joined: Tue Mar 28, 2017 10:08 am

Re: LTAR TRRS Protocol

Post by neuron » Mon Aug 07, 2017 9:28 am

Here are a few of the ways I have have done it.

1. The first is a Y-Splitter coming out of the iDevice with a gender changer to the sound card.
2. Short the Sleeve and the Tip of the LTAR and measure your signal or run through your sound card. No board or iDevice needed.
3. This way is similar to #2, you can connect Sleeve to Tip and measure your signal or amplify the signal if you need.

Note, the signal is small, i.e. around 100mV. If using the Y-Splitter you will possibly get disconnects from the LTAR and iDevice.

If you don't mind having your LTAR disassembled you can also do the above to short the Tip to Sleeve and measure the signal in a few locations and get a much cleaner signal.

The sound card is probably the best way to measure the signal. You can use audacity to record the wave and view it like I listed above, or you can use some of the free Oscilloscope software that can use your sound card, or even some of the Software Defined Radio (SDR) software to view the signal in a spectrum analyzer.
Attachments
ltar_trrs_short.jpg
ltar_trrs_short.jpg (129.81 KiB) Viewed 2961 times

DrDDS
Posts: 11
Joined: Sat Aug 05, 2017 10:29 am

Re: LTAR TRRS Protocol

Post by DrDDS » Sat Aug 26, 2017 6:58 pm

<t>Awesome, thanks Justin. This is really helpful. Have you had any luck "listening" to the other end of the conversation? I mean, finding what the idevice is saying to the LTAR in different configurations? I believe Ryan mentioned once that communication of the idevice to the LTAR was very similar but on slightly different frequencies for the 1 and 0. As soon as I have the electronics I'm ordering for this, I will try and take a look and find that signal. I just wondered if you had tried looking for that already. I imagine it would only occur in circumstances that are specific to the idevice. Such as when you are hit by an EMP or other special weapon not available in the standard mode. Similarly, it may communicate a weapon selection being made if it is a weapon only available in the app. </t>

neuron
Posts: 29
Joined: Tue Mar 28, 2017 10:08 am

Re: LTAR TRRS Protocol

Post by neuron » Wed Aug 30, 2017 3:36 pm

Sorry for the delayed response. I had a bunch of recordings, but I did a terrible job keeping a description of them. When I looked through them I had no idea what happened at what time, i.e. gun change, or hit from an enemy. Anyway, I recorded a few new ones and tried to keep track of what happened at what time.

This is the sequence of events of the recording.
1. Everything is plugged in a I start the recording with the iPodTouch and LTAR off. The iPodTouch is not completely turned off, just in power save mode?
2. I turn the iPodTouch on and run the LazerTag software.
3. I wait until the LazerTag software has run through all the transition screens and is waiting at the Single Player, Multi Player, etc... menu.
4. Then I turn the LTAR on.
5. I select single player.
6. I select play. (On the last 2 I changed the level to 1 because I get shot less)

This is 3 different recordings. I have changed the volume for the mic recording on my computer in each one. This helps to show the LazerTag software sending/querying some information...?
ltar_idevice_connect_and_countdown.jpeg
ltar_idevice_connect_and_countdown.jpeg (150.77 KiB) Viewed 2923 times



Here's a little more zoomed in. In the second recording you can clearly see when the LazerTag software is running ~16-18.5, then the LTAR is turned on ~18.5
ltar_idevice_connect_and_countdown_zoom1.jpeg
ltar_idevice_connect_and_countdown_zoom1.jpeg (175.43 KiB) Viewed 2923 times


So let's focus on the second recording. Here's what I wrote down on a notepad while recording the action. These are not exact times, it was just to keep track of what was happening.
0:18 - gun on
0:30 - countdown start
0:49 - gun change (quantum repeater)
0:56 - shot by enemy
1:05 - shoot gun
1:20 - shot by enemy
1:30 - gun change (pyroburst) - and was shot by enemy

Initially it can be difficult to see the data, so one way to pin point the data is to duplicate the recording and turn on the spectrogram option. You will then have something that looks like this. Notice the 2K 4K and 6K in the legend to the left of the spectrogram.
rec2_spectrogram.jpeg
rec2_spectrogram.jpeg (172.83 KiB) Viewed 2923 times

neuron
Posts: 29
Joined: Tue Mar 28, 2017 10:08 am

Re: LTAR TRRS Protocol

Post by neuron » Wed Aug 30, 2017 7:43 pm

If I zoom in to 0:30 where I thought the countdown started you can see some "white lines" (I'm not sure what the correct technical term is here!). This is where the frequency changes from ~2K to ~4K. I can see now that 0:30 was wrong but I can also see what looks like 1 second intervals of data, the countdown, and that appears to start at ~32.5 or ~33.5.
rec2_spectrogram_zm1.jpeg
rec2_spectrogram_zm1.jpeg (177.59 KiB) Viewed 2923 times


If I continue to zoom in on 33.5 I can read the data being sent and I can also see the time is around 33.65 and not 33.5.

Code: Select all

11000011000110000100001100000000011000000000110000000001101111101

Which is:
110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx
110 00011000 110 00010000 110 00000000 110 00000000 110 00000000 110 11111011
rec2_spectrogram_zm2.jpeg
rec2_spectrogram_zm2.jpeg (197.06 KiB) Viewed 2923 times


I did 32.65 and 34.65 after the 33.65 and here is that data

Code: Select all

        110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx
32.65 - 110 00011000 110 10010000 110 00000000 110 00000000 110 00000000 110 01111011
33.65 - 110 00011000 110 00010000 110 00000000 110 00000000 110 00000000 110 11111011
34.65 - 110 00011000 110 11100000 110 00000000 110 00000000 110 00000000 110 00000111

I have listed at 0:49 that I have a gun change to the quantum repeater. I figured I'd zoom in around 0:49 and I want to point something out. The information pulses from the gun are noticeable because of the series of frequency changes.

Code: Select all

        110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx
45.65 - 110 01000000 110 00000000 110 00000001 110 11010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 01000000 110 01010000 11
48.65 - 110 01000000 110 00000000 110 00000001 110 11010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 10100000 110 11100000 11
49.65 - 110 01000000 110 00000000 110 00000001 110 11010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 01100000 110 01100000 11
rec2_spectrogram_zm3_hilight.jpeg
rec2_spectrogram_zm3_hilight.jpeg (244.47 KiB) Viewed 2923 times
Last edited by neuron on Thu Aug 31, 2017 6:09 pm, edited 2 times in total.

DrDDS
Posts: 11
Joined: Sat Aug 05, 2017 10:29 am

Re: LTAR TRRS Protocol

Post by DrDDS » Thu Aug 31, 2017 9:52 am

Awesome. Thanks for the very comprehensive look at this Justin. I know this takes a lot of time to do and then post in such detail - it is very appreciated. So it looks like the 6k frequency is used here, which if I remember correctly, we havent' seen before. Watching the info from before, we saw 2k frequency as "0" and 4k as "1" correct? When coming from the app talking, it looks like the 6k is used now, am I reading this correctly? Is 2k still "0"? I'll wait to hear from you, here, but once we have definitive questions that need clarification, I'll post those on the FB page and see if Ryan can clue us in further when needed. Thanks again. Edit: I think I got my 1 and 0 backwards up there :roll:

neuron
Posts: 29
Joined: Tue Mar 28, 2017 10:08 am

Re: LTAR TRRS Protocol

Post by neuron » Thu Aug 31, 2017 1:20 pm

It can be ignored for now. It could be noise introduced from splitting the signal and turning the volume up on the mic recording. It could also be there to make the wave more clear for communication between the LTAR and iPodTouch. Either way the 2K 4K and 6K can be ignored for now since we are just looking at the waveform.

I really just wanted to show you the data pulses and how to zoom in on them. I'm sorry if it was confusing.
I have the 3 wave files that I tried to post here, but I couldn't upload .flac, .wav, or .zip. I'll e-mail them to you in .flac format so you can look at them too.


I tried to put some 1's and 0's above the waveform. They're in red.
2K - 1 (binary)
4K - 0 (binary)
rec2_spectrogram_zm2_binary.jpeg
rec2_spectrogram_zm2_binary.jpeg (49.76 KiB) Viewed 2896 times
Last edited by neuron on Thu Aug 31, 2017 2:01 pm, edited 2 times in total.

User avatar
riley
Site Admin
Posts: 89
Joined: Mon Jan 27, 2014 10:20 pm

Re: LTAR TRRS Protocol

Post by riley » Thu Aug 31, 2017 1:47 pm

I've relaxed the restrictions on file attachments to make it easier on you. You can now have up to 10 images or attachments per post, attachments can be up to 2MB each, and audio files are now allowed (including WAV and FLAC). ZIP should have worked for you (unless the file was too big). Let me know if you still have trouble.

neuron
Posts: 29
Joined: Tue Mar 28, 2017 10:08 am

Re: LTAR TRRS Protocol

Post by neuron » Thu Aug 31, 2017 1:50 pm

Hey Riley, thank you. You're right my zip file was way to large!

DrDDS
Posts: 11
Joined: Sat Aug 05, 2017 10:29 am

Re: LTAR TRRS Protocol

Post by DrDDS » Thu Aug 31, 2017 5:42 pm

This is great Justin. Thanks for the email, I got it. I see what you mean now about the waveform being the important part. I'll download audacity and maybe one of those oscilloscope programs and play with the flac files when I can. Leaving for a trip with my two oldest kids tomorrow so it might be next week before I can sit down and really play with these. Thanks again. P.S. - Riley, I'm anxious for your package to arrive in the mail and see what you make of it! Working off both the hosting protocol from the Nomad and the audio data stream decoding here should really get us far in this effort - maybe no ROM dump necessary in the end.

neuron
Posts: 29
Joined: Tue Mar 28, 2017 10:08 am

Re: LTAR TRRS Protocol

Post by neuron » Thu Aug 31, 2017 6:11 pm

0:49 - gun change (quantum repeater)
After zooming in and looking at the 1 second data pulse around 0:49.65 it does not appear that much data has changed since 0:45.65, so I'll skip ahead to, 0:56 - shot by enemy, and see what that data looks like.

Code: Select all

                                                    Health
        110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx
45.65 - 110 01000000 110 00000000 110 00000001 110 11010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 01000000 110 01010000 11
48.65 - 110 01000000 110 00000000 110 00000001 110 11010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 10100000 110 11100000 11
49.65 - 110 01000000 110 00000000 110 00000001 110 11010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 01100000 110 01100000 11
                Found something, in this column -> ********
55.65 - 110 01000000 110 00000000 110 00000001 110 01010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 00110000 110 10000000 11
56.65 - 110 01000000 110 00000000 110 00000001 110 10010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 10110000 110 10000000 11
57.65 - 110 01000000 110 00000000 110 00000001 110 10010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 01110000 110 00000000 11
So, it looks like the health bits have been identified. It also looks like the bits are Least Significant Bit to Most Significant Bit. LSB first gives us this (it's just in reverse):
01001011 -> 75
01001010 -> 74
01001001 -> 73


Since we've figured out the bit ordering, if we look at the countdown sequence again we see this:

Code: Select all

                         Count
                         Down
        110 xxxxxxxx 110 ****xxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx
32.65 - 110 00011000 110 10010000 110 00000000 110 00000000 110 00000000 110 01111011
33.65 - 110 00011000 110 00010000 110 00000000 110 00000000 110 00000000 110 11111011
34.65 - 110 00011000 110 11100000 110 00000000 110 00000000 110 00000000 110 00000111
1001 -> 9
1000 -> 8
0111 -> 7


Quick Edit (confirmed health and shield when connected to iPodTouch):

Code: Select all

                                                    Health                                              Shield
        110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx 110 xxxxxxxx
45.65 - 110 01000000 110 00000000 110 00000001 110 11010010 110 01010000 110 11111111 110 11111111 110 01111000 110 00000000 110 01000000 110 01010000 11

Post Reply