Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

Solder and Flux

Decoding small QR codes by handIt's not hard to decode QR codes with a pen and paper. For this guide I'mgoing to grab a random QR code from google images and show the processof decoding it by hand. QR codes contain a lot of error correction informationand they can survive a lot of errors, but that's a lot harder to do using just apen and paper (and 99% of the QR codes you encounter don't have anymissing bits, so it's rarely necessary). So I'll highlight where the errorcorrection information is stored, but I won't explain it in this guide.

The picture I found is from http://mikejcaruso.blogspot.ca/2011/04/qr-code-tattoos.html

Before we begin we should rotate it to the proper orientation. QR codesalways have 3 timing patterns (big black squares) in all the corners exceptfor the bottom-right. So we need to rotate our picture 90 degreescounterclockwise:

My name is Andrew Fuller and I'm a

computer engineer from Vancouver,

Canada. This blog is about all the

things that make me tick.

Email: qartis@gmail.com

Code: github.com/qartis

Recent PostsLaser distance meter update: serial

commands, timing measurements

Parsing laser distance meter serial

output

Translink magnetic ticket format

Arduino laser distance meter

Problems with 23K256 and

AVR/Arduino

ArchivesOctober 2013

August 2013

July 2013

February 2013

December 2012

October 2012

August 2012

April 2012

March 2012

Simple hardware and software development

Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

The first thing we should learn is what QR code version we're looking at.The version basically just represents the physical size of the QR code. Countthe number of pixels (or modules) across the QR code, subtract 17, anddivide by 4. For example, our tattoo QR code is 25 modules wide, and (25-17)/4 = 2, which means this is a version 2 QR code. Very big QR codes(versions 7-40) have a few extra features, but most consumer QR codes arefairly small and simple, so you don't need to worry about that.

Next, we will figure out our QR code's format marker. Every QR code storestwo identical copies of the format marker, but we only need one of them. Theformat marker is 14 bits long: 5 bits of format information, and 9 bits for errorcorrection. The first 5 bits of the format marker hold the error correction level(2 bits) and the data mask (3 bits). These 5 bits are found here:

So in our case the format information is 01100. However this number hasbeen XOR'ed with 10101 before being written into the QR code. So we mustflip bits 1, 3 and 5. After flipping the bits, we get a format information stringof 01100^10101 = 11001. The first two bits of this value are the error

Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

correction level (the amount of error correction data included in the QRcode). Again, we can ignore this. The last 3 bits of the format string are 001,and this is the most important piece of information. This means the body ofthe QR code has been masked against the mask number 001. Here is atable of all the possible mask numbers and their appearance:

Here's where you need the pen and paper. The reason QR codes aremasked in the first place is that sometimes particular combinations of databytes produce QR codes with certain undesirable features (like big emptyblocks in the middle). These undesirable features confuse the QR codereader, so the data is masked against a value in order to make the codeeasier to process when it's scanned by a QR code reader. The computerthen unmasks the original data bytes using the same process, and retrievesthe data.

You can imagine the masking process as essentially covering the surface ofthe QR code in one of the patterns seen above, starting from the top leftcorner. In our case we have a mask reference number 001, which means allof the odd-numbered rows are black. Once we've tiled the surface of ouroriginal QR code using the mask pattern, then every black pixel in the maskmeans we need to invert the corresponding bit in the original QR code. So inour case, we need to (in our mind, or using the pen and paper) invert all ofthe bits on odd-numbered rows. Note that we only mask the data pixels, andnot the timing patterns or the format marker (otherwise we wouldn't knowhow to unmask it to get the mask reference number!). The data areas arethe yellow areas in this picture:

Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

I've highlighted the data areas of the tattoo QR code below:

Note that there's a little island in the middle of the data area that we mustwork around. That's called an alignment pattern, and whenever you see onein the data just skip past it to read the data bytes.From now on we need to always remember the mask pattern above, andwhenever we read bits from the data section we need to account for themask pattern, and flip any bits that would be masked off by it (in our case,that's every odd row).

The data section consists of [header][data] chunks. Technically QR codesare allowed to have several of these chunks, but most QR codes just haveone big chunk that holds all the data, so it won't matter. The header has anencoding type and a length (the number of data bytes). The encoding typeis always 4 bits, but the length is stored in 8-10 bits depending on theencoding type. Here's the encoding type of our tattoo:

Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

But remember, every odd row needs to have its bits inverted. To help usremember, I'll add a green dot inside every pixel that should be invertedwhen we read it:

Now, the encoding type is stored as the bottom-right 4 bits, starting from thebottom right and working left and right in a zig-zag motion. So in our case,the tattoo itself has the bits 1000. However the bottom row is masked, so weinvert the first two bits: 0100. This means that our QR code's encoding typeis 0100. Here's the table of encoding types:

0001 Numeric0010 Alphanumeric0100 8-bit Byte

The other encoding types are rarely used in consumer QR codes. They'reused for encoding japanese characters, custom charsets and spreading amessage across several QR codes in series. For our purposes these 3encodings will be enough.

Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

So that means that our QR code uses 8-bit byte encoding. The next piece ofinformation is the length field, or the number of characters (clusters of bits)that are in the message. Like I said, the length field changes size dependingon the encoding type. Here's the number of bits in the length field, for eachencoding type:

Numeric (10 bits)Alphanumeric (9 bits)8-bit Byte (8 bits)

Since we're using 8-bit byte mode, our length field is 8 bits long. We readthe next 8 bits in a vertical zig-zag motion, like this:

So the tattoo itself contains the bits 11011100 (reading from bottom to top).However we need to mask two of these rows, so the actual length field hasthe value 00010000. That's 16 in decimal, which means this QR code has amessage that is sixteen 8-bit bytes long. After the length field, the bytesthemselves are stored, one after another, MSB first. We continue climbing ina vertical zig-zag motion until we hit the top, and then we curl over andcontinue downwards as seen in this picture:

Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

← Previous Next →

So the first byte would be 10000110 (masked), which is 01001101(unmasked). That corresponds to ASCII character 'M'. The next byte wouldbe 10101101 (masked), which is 01100001 (unmasked). That corresponds toASCII character 'a'. So far we've decoded "Ma".

Continuing up and around the corner: 10100000 (masked), or 01100011(unmasked). That's ASCII 'c'. Then it's 'i'.

By continuing in this way, we can decode the full message: Maci Clare Peltz.

Decoding small QR codes by hand - Solder and Flux

http://blog.qartis.com/decoding-small-qr-codes-by-hand/[19/01/2014 4:10:31]

© 2014. Solder and Flux. Powered by WordPress. Cleanr theme by WPShoppe.