World Beyblade Organization by Fighting Spirits Inc. Beyblade Discussion Beyblade General

Beylogger Teardown

Sep. 11, 2015  12:57 AM
 
After seeing the new Burst system with the Beylogger, I had to pick one up and see how it works!

First, the launcher. There is a peg that goes up when the beyblade is inserted, but the peg does not spin. Instead, there is the white and black colored disc that spins.
[Image: mB0xwS2.png]

The Beylogger has an infrared reflectance sensor which "sees" the white and black marks. The square-ish thing is the reflectance sensor, the circle is the button that sees when the beyblade is inserted.
[Image: 36eojBA.png]

Inside the Beylogger, it is controlled by an ABOV microcontroller, a 8 bit one by a Korean company. I was hoping for a more common one like AVR or PIC, so that I could reprogram it myself.
[Image: huk19gT.png]

Underneath the board you can get a better look at the reflectance sensor and switch. Note that there are no traces for NFC. The beylogger does not have any NFC capability, in contrast to what I have read before about the beylogger using NFC to communicate.
[Image: ErPY750.png]

In order to make it easier to work with, I replaced the short battery wires with longer ones with connectors.
[Image: z7yzCBc.png]

To control the switch without having to physically press it, I attached a wire to one of the leads. Ground = switch closed, floating = switch open.
[Image: 8aFJNz2.png]

I hooked it up to an Arduino. I placed an infrared LED in front of the reflectance sensor, and I flash the LED at a high rate in order to trick the sensor into thinking I am spinning the beyblade. It works, so now I can trick the beylogger into thinking I am launching my beyblade.
[Image: VKT35mp.png]

I left it running for several hours and came back to over 1000+ launches! It takes 10 seconds for each launch, so it can automatically do 360 launches per hour. The current record is ~45,000 launches, so it will take about 120 hours to catch up.
[Image: pox2s9M.png]

Note that the highest "power level" I have achieved is only 700. If I program the LED to blink faster, the Beylogger thinks it is communicating with another Beylogger and produces an error. I still have to tinker with it; I am hoping to trick it into seeing 1500 power rating launches.

Thanks for reading!
Sep. 11, 2015  1:12 AM
 
Very cool! Thanks for posting this. Scary that you were able to trick it into thinking you were shooting haha ... Obviously not just anyone can do that, but it definitely exposes a flaw in the system.

After some initial confusion we had already realized that unfortunately the BeyLoggers do not have any NFC capability. The only things that do are the Beyblades, but the purpose of that functionality is still unknown. Some people are speculating it will be used for a Beyblade Burst 3DS game.
Sep. 11, 2015  1:22 AM
 
Dude, this is awesome, nice work! And welcome to the WBO!
Sep. 11, 2015  1:22 AM
 
Very cool. I read the title and I thought I meant Takara was tearing down the whole system and not using it at all. This is very neat. I hate that leg though. It marks up my layers
Do we know what the peg is for yet? Sorry if I missed that in the report. I was skimming through.
Sep. 11, 2015  1:47 AM
 
Cool. I wish I dared to take mine apart and do that. A lot easier than launching 200 times a day manually for points. Lol. I guess it is not a bad thing though. My launches are crazy on point right now
Sep. 11, 2015  1:50 AM
 
(Sep. 11, 2015  1:22 AM)Bladerguy2 Wrote: Do we know what the peg is for yet? Sorry if I missed that in the report. I was skimming through.

As far as I know, the peg lets the BeyLogger know that a Beyblade was really launched, to avoid fake launches by just ripping the winder out of the launcher with nothing attached to it, which might make it easier to get high RPMs.
Sep. 11, 2015  2:34 AM
 
(Sep. 11, 2015  1:47 AM)Zoroaste Wrote: Cool. I wish I dared to take mine apart and do that. A lot easier than launching 200 times a day manually for points. Lol. I guess it is not a bad thing though. My launches are crazy on point right now

This is really cool from an experimental standpoint, but I don't think he's planning to use the points collected this way to win Amaterios. Smile That would definitely be frowned upon.
Sep. 11, 2015  3:27 AM
 
Yeah true. But you're going to bump me down a place for most worldwide launches, cheater!!! Haha jk. We will all know who got there the legit way. Now I know how the current first place guy has a seemingly impossible amount of launches
Sep. 11, 2015  10:59 AM
 
it's cool to trick blger [beyloger (lol)]. but i don't think i will do this because it's like cheating [and i will hurt my blader's sprit/feeling for beyblade]. as Zoroaste said it is definitely easier than launching 200 times a day. but i would still like to launch 200 time a day [i launch my bey burn pises h145wd 100 time on rock (to brake the rock) everyday when i was 9 year old in summer holiday]
Sep. 20, 2015  11:33 PM
 
I decided to put more time into it again. I wanted to remove the LED flashing into the reflectance sensor, and replace it with directly feeding the Beylogger a signal.

I found the pin on the reflectance sensor and hooked up my oscilloscope. I ripped my hardest with all these wires, and here was the signal:
[Image: aYdmgDC.png]


I recreated it with the Arduino, here is the signal for that:

[Image: BaaEuCa.png]

It works, but I still can't go higher than 712!

If I could rip 1500 by hand, I think the signal would look similar, but just at a higher frequency. But if I increase the frequency in the Arduino, the Beylogger just makes an error.

Another problem is, if I did rip 1500 by hand, then I would never be able to tell how hard I ripped in the future, since the app only tells the highest rip.

So in the end, I was successful in removing the LED and just feeding it a signal directly, but I was not able to get above 700 in ripping power.

I think next, I will forget about ripping power, and see if I can spoof the entire beylogger. Just hook up an Arduino directly to the smartphone, and have the Arduino pretend to be the beylogger. Maybe that way I can spoof 1500 power and 200+ launches.
Sep. 22, 2015  1:25 PM
 
Nice. And this is why I'll never trust anything with a circuit.

For those who don't know already, this analogue-to-binary technology has been around since toys started using batteries. A good example is the award-winning OWI Binary Player Robot kit. The user colors-in segments on a paper disc which fits inside the robot - the disc rotates as the robot moves forward, dragging the colored-in segments past an infrared sensor. Whenever the sensor detects the darker colored-in segments, the robot will turn left or right, depending on the segment. So the sensor has two simple modes: on and off.

Trouble is, this type of sensory system (essentially analogue) is traditionally very prone to error. So I find it pretty mind-boggling that the sensor in the beylogger is "sensitive" enough to actually read the flashing black-and-white from the launcher at the speeds you'd expect from a normal rip - and turn it into some kind of code. In fact, it's mind-boggling enough that I don't believe it - surely it can't read the signal that accurately?!

I don't have one of these things - so I just cannot say with any real certainty - but I suspect it is not the raw binary signal recorded by the sensor which determines the result. Instead, I imagine the beylogger would more likely measure the TIME it takes for the signal to cease after the rip. The "flashing" would merely trigger the timer, while the following "static" would stop it. That kind of jazz.

Of course, whatever. Keep up the good work.
Sep. 22, 2015  1:59 PM
 
you are keeping in mind that this kind of records are taken by how many samples it can take right?

It's like in music, it's not the same 10 samples per second, to 20, to 30, to 60, like frame rate in a videogame

For what you say I think it depends on the analog device quality and technology, also remember many people still trust analog capture devices because digital information still has MANY limitations when you are capturing video and audio (example: you can't zoom digitally for a high quality picture/video and you can't make high quality audio digitally)
Sep. 22, 2015  3:45 PM
 
Super fascinating stuff, thanks to both you and Beylon!
Aug. 29, 2016  10:21 AM
 
So it's been a year and I got the itch to work on this again. It's good to see Burst is still going strong.

My main goal now is to sniff the data the beylogger is sending to the smartphone. Hopefully if I can do this, I can skip the whole "turn on arduino and let it spin for 2 hours" in order to get the points for the day.


(Reference code/photos below. I wasted an hour today trying to find my old code from a year ago and fixing wiring that had broke)
http://pastebin.com/qzAFatZp
[Image: dOOdp0l.jpg]
Aug. 29, 2016  11:32 AM
 
Wow the Beylogger is so complex and yet so simple I can't wrap my head around all this info Smithicide
Aug. 29, 2016  11:33 AM
 
This is incredible. Honestly just mind-blown. Keep it up! :3
Sep. 05, 2016  12:22 PM
 
I was experimenting with timing the pulses today.

The moment I found the smallest pulse the beylogger would accept as a spin, my app gave me a new warning screen, signed me out, and now I no longer earn any points (even though I am under the limit for today).

Did something happen? Does someone know what this means?

I ran it through an online OCR and Google Translate, but nothing useful came out of it.

[Image: hMj2kb6.jpg]
Sep. 05, 2016  12:54 PM
 
BURN NOTICE.







But seriously, this has gone far deeper than I ever imagined it would. What kind of results were you getting before the lockdown?
Sep. 05, 2016  1:08 PM
 
(Sep. 05, 2016  12:54 PM)Beylon Wrote: BURN NOTICE.


But seriously, this has gone far deeper than I ever imagined it would. What kind of results were you getting before the lockdown?

I still wasn't beating my high score, but I figured a few things out.

First, the beylogger will take nothing less than 5 pulses, but will accept more just fine. (I guess to account for any longer ripcords or the string launcher).

Their method to check for a valid launch is weird. For example, if the 5 pulses were in milliseconds, a "5-5-5-5-5" would be invalid. A "7-7-7-7-7" is valid. A "4-7-7-7-7" is valid.

Next I figured out the final pulse has a lot of impact on the power level of the launch. A "10-10-10-10-10" registers as slow, but a "10-10-10-10-0.06" registers as fast.

So in the last case, 60 microseconds (not milliseconds, micro!) registers just fine as a fast launch. Still didn't beat my high score of around 700, though.

I went to 10, then 20 microseconds, and the beylogger showed them as bad launches. Tried 30 microseconds, beylogger showed as a fast launch. I hooked it up to see if I had finally beaten my score, and it gave that error screen.

Any further launches, even slow ones gave me 0 points. At this point I'm going to wait for the daily reset in a few hours to see if that will clear things up.
Sep. 06, 2016  12:33 AM
 
It appears my counter-theory was way off. All hail beyduino!

At this point, based on your explanation, I feel like there might be some merit in trying to replicate your error just in case it was a fluke. I mean... It sounds flukey. There must be a lower microsecond limit beyond which the logger cannot compute a reading - maybe you just walked the line and got a partially corrupted return? Only way to test is to try again, I guess. Sorry I can't help decipher the page itself.

EDIT: No, no ,no, that can't be right. The secret must be in the error screen itself. Argh, want to know what is says so bad! Do you have a text version of that image?
Sep. 10, 2016  5:05 AM
 
(Sep. 06, 2016  12:33 AM)Beylon Wrote: Argh, want to know what is says so bad! Do you have a text version of that image?

I had somebody translate it for me, it says

Quote:Beylogger Data Error

Beylogger data may be corrupted. [AI090]

Everything was back to normal the next day, and I haven't pushed it that far again.

Since then I've been trying to see how the number of launches relates to how many points you get. It looks like it's a logarithmic function:

[Image: 5PCnKaI.jpg]

(This is all at the same power level somewhere under 700)
Sep. 11, 2016  11:17 AM
 
Wow! So I guess that means you crossed the magic line. The chart plot doesn't really surprise me, I guess; electronic games always cheat!

Every time I visit this thread, I feel like I'm on drugs. It's just super amazing.

Edit: speaking of drugs, could you artificially overcome the performance drop-off by increasing the rip power to compensate?
Feb. 07, 2017  12:43 AM
 
How do I turn it off?
Feb. 07, 2017  12:49 AM
 
(Feb. 07, 2017  12:43 AM)Beybladerocx2 Wrote: How do I turn it off?

turns off automatically after 5 minutes
Apr. 14, 2017  9:38 AM
 
(Sep. 20, 2015  11:33 PM)Beyduino Wrote: I decided to put more time into it again. I wanted to remove the LED flashing into the reflectance sensor, and replace it with directly feeding the Beylogger a signal.

I found the pin on the reflectance sensor and hooked up my oscilloscope. I ripped my hardest with all these wires, and here was the signal:
[Image: aYdmgDC.png]
 
 
I recreated it with the Arduino, here is the signal for that:
 
[Image: BaaEuCa.png]

It works, but I still can't go higher than 712!

If I could rip 1500 by hand, I think the signal would look similar, but just at a higher frequency. But if I increase the frequency in the Arduino, the Beylogger just makes an error.

Another problem is, if I did rip 1500 by hand, then I would never be able to tell how hard I ripped in the future, since the app only tells the highest rip.

So in the end, I was successful in removing the LED and just feeding it a signal directly, but I was not able to get above 700 in ripping power.

I think next, I will forget about ripping power, and see if I can spoof the entire beylogger. Just hook up an Arduino directly to the smartphone, and have the Arduino pretend to be the beylogger. Maybe that way I can spoof 1500 power and 200+ launches.


How to get reflectance sensor data on Arduino ?Can we get the data in every launching?
Page 1
Next