Discovering the Magic

The Disney MagicBand is a bracelet-like wearable device offered to guests visiting Disney theme parks and resorts. This wristband combines various functionalities to enhance the guest experience during their stay. It acts as a ticket, room key, and payment method, providing a bit of convenience and eliminating the need to carry multiple cards or cash.

With the MagicBand, guests can easily access the parks, their hotel rooms, and make purchases throughout the resort by simply tapping the band on designated touchpoints. Disney intends this device to streamline and simplify the guest's experience at the parks, but of course these MagicBands are a proprietary hardware platform, so no one outside of Disney really knows what these devices are doing.

That is just the sort of thing to pique a hardware hacker’s interest, so when Aaron Christophel got his hands on a MagicBand, his first thought was to tear it down and see what makes it tick. After getting at the hardware, Christophel immediately noticed a few important things — first was a near-field communication tag, which is not very surprising. One could guess that this is what makes the MagicBand taps work. But somewhat unexpectedly, there was also a microcontroller. Specifically, it was a Nordic Semiconductor nRF31512 chip.

This chip is the key to understanding any advanced functions this band may be capable of, so Christophel wanted to dump the firmware for evaluation. He was initially unable to find a datasheet for the chip, so he did some reverse engineering, and checked the datasheet of a similar chip, to determine the likely pinout. With this knowledge, he connected an ESP32 to the debugging interface and started poking around.

Pretty quickly Christophel realized that this was not going to be an easy job. The contents of the flash memory always read out as zeros, and a status register was stuck on the value 4. Nearly ready to give up, he threw a Hail Mary and asked ChatGPT what to do. This actually turned out to be useful, as ChatGPT was able to provide him with the datasheet for the chip.

Scanning the datasheet showed that the reverse engineered pinout was almost correct, and that the status code of 4 meant that readout protection was enabled, which explained why flash memory could not be read. Some other similar microcontrollers can be tricked into disabling this memory protection via a technique called voltage glitching. So, an Arduino sketch was written to provide glitches on the DEC2 pin that is tied to the core voltage rail, then attempt to read the firmware. After a short time of testing different voltage glitch patterns, this setup was able to successfully dump the firmware.

The raw machine code is extremely difficult to make any sense of, so it was fed into a decompilation tool that translated it into C++ code. The generated code is still challenging to make sense of, as things like meaningful variable names and comments are lost, but it is still far better than machine code.

Christophel did a deep dive into the code, and after a lot of analysis, and some trial and error with a HackRF One and a transmitting ESP32, a sequence of bytes was finally discovered that would trigger the MagicBand to respond. The response packet appeared to contain the wristband’s unique ID, the battery level, and a couple more unknown pieces of data.

This is as far as Christophel got with his research, so the Mouse’s secrets are mostly safe, at least for now. He has described his methods and released all of the source code he used along the way, so others can follow in his footsteps and perhaps go further.

The nRF31512 flash memory can only be written once, so if you had hoped to replace the firmware with your own custom version, you would be out of luck. Christophel suggests that if you have a spare MagicBand laying around, you could leverage it as a proximity sensor, however. By transmitting the magic number sequence to the device, and receiving a fixed response containing the device’s ID, one could assess the signal strength for this purpose. The real utility of a MagicBand outside of the parks is probably very limited though. But by following Christophel’s work, one could learn a lot about debugging and reverse engineering embedded hardware systems.