.png)
4 months ago
4
I recently came across a couple of X-Rite/Pantone RM200 spectrophotometers on eBay for cheap. No power-on test, no cable, and no packaging, but for $20 each I had to buy them. The devices — the RM200 — go for hundreds of dollars new, and are still pretty recent. For my readers who aren’t massive nerds when it comes to color science, a spectrophotometer is a device that, well, measures color. The idea is you can point it at a surface and obtain a calibrated measurement that can be referenced against a standard system, and in the graphic design world, Pantone conveniently provides a proprietary (and expensive) one. Historically, to match a color, you would buy a book of color chips, hold them against the color you are trying to find, and visually compare them. A spectrophotometer can help take some of the guesswork out of the equation and, in the case of the RM200, let you measure colors on the go, which can then be synced to your computer for use in software like Adobe Creative Cloud. So when my $20 units arrived, I was excited to see whether they would even power on.
They did! But there was a catch- when I booted them up, I was greeted with a disappointing “Pantone + Sephora” splash screen. They were the cosmetics model, and could only measure skin tones.
Many Models
It turns out that there are several versions of the RM200- the base model, which you can load tons of different color “fans” (Pantone books) onto, a high-end RM200QC model, which is aimed at quality control (and is very expensive), and the cosmetics model, which was meant for use in beauty parlors to measure skin tones. Since finding that juuust right shade of foundation isn’t often an issue in my life, this last one didn’t seem very useful to me.
I did notice, however, that the cosmetics model and the base model looked identical, aside from the logo at the top of the unit. Some had X-Rite branding, some Pantone, and others specific makeup brands such as No7. I suspected that, maybe to keep production simple, they were actually the same hardware, and the cosmetics model was just crippled with limited firmware.
Fussing with Firmware
To test that theory, I installed the Capsure Sync software that X-Rite provides to update firmware and install color fan decks. As expected, it registered my units as the RM200 Cosmetics, and the only profile shown was the skin tone fan deck. Inspecting the software logs, it seemed that every time a device was connected, it queried the X-Rite servers to check for updates. What if there was some way I could fool the sync utility into grabbing the wrong firmware files?
I started by decompiling the X-Rite software to see what makes it tick. It was a .NET application, so JetBrains dotPeek made quick work of it. After some digging, I found that when the RM200 is attached, the Sync software queries its serial number, which it send off to the X-Rite servers. The servers reply with the appropriate firmware, which gets flashed to the device. My initial plan was to hardcode the serial number from a base model device and recompile the code, but as it often goes with reverse engineering, the damn project just wouldn’t build. I’m sure someone better-versed in the ways of C# and VisualStudio build environments could have gotten it going, but not me. Time for Plan B.
Captured traffic in Fiddler ClassicFor the software to download firmware files, it first had to request them. The new approach was to listen for the request, intercept it, and rewrite it before sending off to the internet (replacing SN “ABC” with “123”). This turned out to be fairly straightforward using Fiddler Classic. With a capture running, I plugged the device in and saw some requests to the X-Rite servers roll in. Inspecting them, I found a handful that included the serial number — these were the ones I needed to mess with. A cool feature of Fiddler that I learned about in the course of this project is its ability to intercept, rewrite, and retransmit requests based on rules defined in a script. And this was a very simple change to make- if a request contains the original serial number (deviceID in the request), replace that string with a new one. Now I just needed the serial number of a base model, which I was able to find on the label of a unit in an eBay listing photo.
No, DFU doesn’t stand for Don’t Fuck Up (but I was thinking it at this stage)I set up the rule and tried plugging the device in again — and got an error! Success! Sort of. It turned out that the software first sends the SN alone, just to see if it’s been registered. It later sends a second request for the firmware files, but this includes another variable (securityKey) for verification. After some more digging in the decompiled source, it turned out that the securityKey was just a formatted copy of the Chip ID — a value reported in the “Device Info” screen of the RM200. This was tricky, because there aren’t many photos online of a unit with that screen open, and most of the ones I was able to find just happened to be the cosmetics model. It took some googling, but I eventually found a demo video in Spanish that happened to show that screen with the Serial Number and Chip ID proudly displayed at the bottom.
I rewrote the Fiddler rule to replace the securityKey as well as the deviceID, plugged the unit back in, and — no error! After a bit of loading it informed me that it had a new firmware update to install, along with a whole list of fan decks. I was a bit surprised (and relieved!) that there wasn’t any kind of secondary validation built into the sync utility that confirmed the firmware delivered from the server was actually appropriate for the device being flashed. After everything downloaded, the RM200 rebooted into a DFU mode for flashing, and once everything was copied over, rebooted once more.
Counting Colors
This time, rather than the “Pantone + Sephora” splash screen, there was only X-Rite branding. I was thrilled it was even able to boot with its sibling’s firmware, but would it be able to read accurately?
After a quick calibration I got my answer — sort of. The weird thing about color is that standards are a bit complicated. I have some old Pantone fan decks (the physical ones, not the ones loaded onto the RM200) from the 90s, but they can fade over time. Pantone suggests you replace them every twelve months, though it’s not clear whether that recommendation comes from their research department or marketing department. Anyway, many of the readings were dead-on, and most were within a shade or two.
This one. It’s green. PMS 418 C.It was rare to get a far-off reading, but when I did it was usually reporting a color that didn’t even exist in the fan deck I was sampling, so it’s difficult to evaluate just how good those readings were. Overall, it appears to be reporting shades accurately, but without a stock base model to compare to, it’s hard to say definitively. It’s certainly good enough for me, and that’s not a phrase I use lightly when it comes to measurements. Maybe I can finally prove to my old college roommate that our Xbox controller was green, not gray.
![Rockstar fired developers looks like "union busting" [video]](https://www.youtube.com/img/desktop/supported_browsers/edgium.png)
