Great series of posts covering the authors research progress and eventual owning of a wireless scoreboard system. Unlike a lot of the attacks we cover, this had more of a hardware and even radio signal focus. What is most interesting is the inclusion of the dead-ends and the thought process involved. Eventually the author manages to sniff the (rather simple) AES key by man-in-the-middle-ing the communication bus but there were several other ideas explored first. While the others did not work, they were educational.

The third post dives into figuring out the actual radio signal being sent, breaking the state of the LFSR RNG in use for “data whitening” by bruteforce. And talks about some interested possible attack that could have been pulled off now that they reversed the encryption key and could maliciously communicate with the scoreboard.