Escort Max 360 teardown

Hardware

The device is actually quite complex and its design appears to be well thought through. Let's see what's inside...

Right after taking the cover off, we see the main board featuring:

  • Macronix 64Mbx8 flash (MX29GL512FHXFI-11G). This memory holds Escort Defender location database as well as user-saved marked locations.
  • Xilinx XC6SLX25 Spartan6 FPGA
  • Micron 512Mbx16 DRAM (MT47H32M16NF-25E) that FPGA likely uses for sampling
  • CSR Bluetooth module next to the speaker
  • OLED display cable (top right) and directional arrows RGB LEDs cable (bottom right). The OLED display is a custom 160x32 OLED module from Wisechip (FKA Univision). Part number: UG-6032ADEAF01

    CSR Bluetooth serial module close-up:

    FPGA & DRAM close-up:

    The opposite side of the board assembly features a GPS antenna and control buttons. Front horn sensor and laser sensor are visible on the left. Rear horn sensor is under the board in the top right corner.

    There are actually 3 PCBs in the sandwich. Front and back detector horns are mounted on the middle board (blue). The opposite side of the main board features two Freescale/NXP Kinetis_L CPUs and a couple of serial flash chips (one with firmware that controls the FPGA and the other contains either FPGA firmware or Escort Defender database -- to be determined). The main CPU is MK20DX256VLQ10 (ARM Cortex-M4 @ 100MHz). The chip has almost no security features and it is easily accessible and customizable.

    Main CPU close-up. Aux CPU is in the top-center of the picture. The two serial flash chips on the right store audio samples (25L6406) and antenna firmware (25L1606)

    Firmware

    Five pieces of firmware are upgradeable in the device:

  • Main CPU firmware, based on Freescale MQX (current version 4.83 uses about 245kB out of available 512kB)
  • Aux CPU firmware which controls the FPGA (version 1.1, about 40kB)
  • FPGA firmware (version 1.4, 1.6Mb)
  • CSR Bluetooth firmware (version 3.4, 725kB)
  • Audio flash (version 2.3, 4.4Mb) containing 16bit/8kbps voice and sound samples

    • The main MQX firmware runs the following threads:

  • Main UI thread
  • 2 GPS threads
  • Marked locations thread
  • Backlight thread
  • Voltage monitoring thread
  • Radar detector thread
  • Bluetooth thread
  • ZRX thread
  • Audio thread
  • Keyboard i/o thread
  • EEPROM storage thread
  • Directional arrows thread
  • Two serial i/o threads (USB and serial)

    • Software: Detector Tools

    The Escort Detector Tools app lets you update detector firmware and perform Escort Defender database management functions. The tool itself is a rather heavy .net/C# application that communicates via SOAP with a service hosted at www.escortradar.com. A considerable amount of code in the tool is dedicated to covertly keeping track of sold detectors' serial numbers and their subsciption statuses as well as obfuscating web service communications. The number of hardcoded passwords, AES, and XTEA keys in the tool is in the dozens (let's not publish them here). Luckily, most, if not all obfuscations are pathetically easy to bypass.

    Software: Escort Live

    Similarly to the Escort Detector Tools, Escort Live mobile app contains quite a bit of tracking code and collects location information and many other metrics from its users. That data, according to Escorts privacy policy, is retained forever and shared with marketers and others. By the way, if your Escort Live username happens to be "nbulatovic", you are out of luck. The app (at least the current Android version of it) has a kill switch that erases flash in your radar detector.

    Escort Live Bluetooth protocol

    The BT protocol uses a fairly simple custom binary serial communications. It contains (again, easily bypassible) protection measures intended to restrict communications to only Escort-provided tools. Unfortunately, while Escort was spending time developing crazy bit-flipping and checksumming algorithms, they totally forgot to include any security features into their communication mechanism. This means that anybody within bluetooth range can pair and communicate with any Escort bluetooth-enabled device (which you can easily identify by their bluetooth address prefixes D8:76:0A and B0:B4:48). The BT protocol, by the way, contains flash erasing and updating functions. Bluetooth requests and responses use the following format: 

    F5 nn cc dd dd ...

F5 is a start marker. All data packets start with it. 
The next byte (nn) is the lenght of the remander of the cata packet (following nn).
cc is a command code. Detector suports about 50 commands (0x80..0xB4)
dd is zero or more data bytes
    As soon as you connect to the detector, it will send you a challenge that must be properly responded to in order to unlock further communications (challenge request looks like this: F5 0B A1 xx xx xx xx xx xx xx xx xx xx). The challenge/response mechanism uses two XTEA keys (one for detector and one for the client). You must re-encrypt and respond with a packet that the detector will then validate and allow other commands to be sent)

    USB communications

    USB works similarly to Bluetooth. First, you must unlock comuications by requesting (via USB control transfer) an 8-byte challenge, encrypting it using the key derived from the detector's serial number, and sending the resose back (control transfer). Once unlocked, you can send requests (via USB bulk transfers) to the bootloader to write code shippets to the main CPU ram and execute them. Detector Tools downloads code snippets for your model of radar detector from escort's website. There is also a set of control transfer commands for setting device parameters, such as is serial number.

    What is the cost?

    By our estimate, the total manufacturing cost of Escort Max 360 is approximately $150. After factoring in affiliate discounts and process expenses, it looks like Escort rakes in approximately $400 in profits from each Max 360 device sold.

    Footnote

    Max360 is a great device and it is good at what it does. It could be much better though if Escort opened it a bit more. While the BT protocol is easy to reverse engineer, firmware customization without the source code is very limited. Open-sourcing the main firmware could allow Escort users to make the device infinitely more capable.