Full protocol teardown of Pricer infrared ESLs: PHY modulation, MAC frame format, PLID addressing, and working attack primitives for price/image changes.
Key Takeaways
Pricer uses 940nm IR with Pulse Position Modulation (PPM): PP4 averages 13.1kbps, PP16 averages 52.35kbps for graphic tag updates.
The MAC layer assigns each tag a unique 32-bit PLID derived from a 17-char Code128 barcode; no encryption on Pricer – 16-bit key with a known default value.
Infrastructure chain is management server -> base stations -> up to 32 transceivers via RS-485 -> line-of-sight IR to tags; dark zones are a real deployment constraint.
Confirmed attack surface: change displayed price or image, lock a tag for hours by flooding communication; battery drain and firmware reflash remain theoretical but structurally plausible.
Reference implementation PrecIR is on GitHub; ESL Blaster provides a compatible USB IR interface for experimentation.