Recon on Disney's MagicBand
by EndlessFapping
The people at Disney have invested a billion dollars in developing a waterproof high-tech wristband that's meant to be an all inclusive pass to everything Disney.
The wristbands are in use at the resorts, parks, and cruise ship. The bands can be used for a multitude of things like resort room access, purchasing products, ride fast passes, individualized ride experiences, and even location tracking. Purchases are made by establishing a PIN, in conjunction with the wristband. This creates a two-factor authentication mechanism when visiting concessions or buying products.
The wristbands are a marketing data gold mine. Disney will be able to track which rides get used as well as family spending habits and perhaps even track foot traffic through their parks. It also makes spending money easier for their guests - think people at the pool.
Intrigued, I wanted to learn more about these new high-tech toys of Disney's, so naturally after looking online I was able to locate the FCC ID (Q3E-MB-R1G1) of the wristband and search the FCC website for information on the band itself. Unfortunately, I'm not an RF guru, but I figured doing some recon would be fun and I could let others use the information.
Digging through the FCC site, I was able to find out the wristbands themselves are powered by a non-replaceable coin battery and contain UHF and HF RFID tags. The antenna is embedded into the PCB, which itself is overmolded in plastic to prevent access to the internals without creating permanent damage to the parts. The antenna type is an inverted-F with a maximum gain of 0 dBi with no RF connector between the radio and itself. The wristband operates completely in the 2.4 GHz band. NFC and RFID appear to be enabled on the device.
I wanted more info on the infrastructure the wristband communicates with, so I started snooping and found a LinkedIn profile of a Disney employee that has all of the FCC OEM IDs of the proprietary infrastructure devices listed proudly as devices he helped develop. Those FCC OEM IDs may have been a bit more difficult to find were it not for the that profile. Thanks, Disney Manager guy!
The following descriptions were pulled from the LinkedIn profile and will probably be useful:
Experience Touch Point: (FCC ID: Q3E-XTP-R1G1 / Q3E-XTPRA-R1G1) - An HF RFID reader used at Disney park entry locations, FastPass+ Attractions, and the Test Track attraction at Epcot. Combines advanced light and sound to deliver a unique touch interaction with the MagicBand.
Long-Range Reader: (FCC ID: Q3E-XBR-R1G1 / Q3E-XBR-S-R1G1 / Q3E-XBR-R1G2) - A 2.4 GHz RF transceiver that communicates with the MagicBand and provides Magical experiences for Disney Guests and key operational metrics. There are three models in use today to support various use cases.
Experience Payment Device: (FCC ID: Q3E-XPD-R1G1) - Provides a unique payment experience for Disney Guests supporting "Touch to Pay" with the MagicBand and other payment methods. Highly themed to fit the MagicBand ecosystem. Can be seen today at all Disney Resort front desks and Point of Sale locations.
MagicBand: (FCC ID: Q3E-MB-R1G1)
Experience Touch Point: (FCC ID: Q3E-XTP-R1G1 / Q3E-XTP-RA-R1G1)
Long-Range Reader: (FCC ID: Q3E-XBR-R1G1 / Q3E-XBR-S-R1G1 / Q3E-XBR-R1G2)
Experience Payment Device: (FCC ID: Q3E-XPD-R1G1)
Interestingly, I tried sharing the guy's LinkedIn profile with a friend of mine and my friend was unable to view the profile because he was too far removed from the guy in question. Ironically, I was able to see the guy's profile almost entirely because I was not logged in as a LinkedIn user. Go figure that rationale.
Browsing through the FCC documentation, I could see requests to keep some of the information confidential. Unfortunately, it looks like that was accomplished on some of the material. I figured more information would likely eventually be pulled off the public facing FCC site, so I copied all of the information I could find, including snippets from the LinkedIn profile.
I've zipped all of that information up and made it exclusively available for 2600 readers here: www.filedropper.com/magicbandsystem-2014-05-29
Enjoy!
I did a teardown (more like ripapart) as well and then I found your article. The central chip they couldn't figure out has marking NRF CO 24LEDN which I think stands for custom version of NRF24LE1 for Disney ("DN") from Nordic Semiconductor. A quick look on Nordic Semiconductor site provides this information:
The nRF24LE1 integrates an nRF24L01+ 2.4GHz RF transceiver core, enhanced 16MHz 8-bit 8051 compatible CPU, 1kB + 256B RAM, 16kB embedded Flash, and a wide range of system peripherals including a hardware AES accelerator, 16MHz and 32kHz RC oscillators, ultra low power 32kHz crystal oscillator, 12-bit ADC and SPI, 2-wire and UART serial interfaces.
The nRF24LE1 is available in 3 package options ( the first one looks exactly like the chip in the band) - 4 x 4mm 24-pin QFN with 7 generic I/O pins