ez430-Chrono BlueRobin reverse engineering
this is a quick-wrote draft, it will be reviewed
Hello
here is just a little tutorial to give you some idea for reverse engineer and hack your next gadget
today i would like to know how the blueRobin chest strap can communicate with the ez430-chrono
the software delivered with the watch contain a « BlueRobin emulator »
the software only launch when the CC1111 dongle is plugged – ok, no problem
the dongle is seen as /dev/ttyACM0 and is configured at 115200 baud
let’s assume we have 2 dongles CP2102 providing usb serial port /dev/ttyUSB0 and /dev/ttyUSB1
and they are connected together like this
gnd ---- gnd RX <--- TX TX ---> RX
close the software, unplug the CC1111 dongle.
plug the 2 dongle CP2102 (FTDI dongles will certainly work too)
create a fake ttyACM0 symbolicaly linked to /dev/ttyUSB0
sudo ln -s /dev/ttyUSB0 /dev/ttyACM0
set the speed of both dongle:
sudo stty -F /dev/ttyUSB0 speed 115200 sudo stty -F /dev/ttyUSB1 speed 115200
in a terminal be ready to read the output of ttyUSB1 = what the software send to ttyACM0
cat /dev/ttyUSB1 | xxd -p
the probleme here is that xxd only write the line to the terminal when it get a full line, so we can use the option « -c 10 » or even « -c 1 » to reduce the line, but it would be hardly readable.
I prefered send a bunch of zeros from another terminal whit this command:
echo 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | xxd -p -r > /dev/ttyUSB0
so this technic help me to cut the communication in several sentence
In Fine, I get this : ( I add some comment while i capture to remind me what the « sentence » means)
mathieu@confusion:~$ cat /dev/ttyUSB1 | xxd -p 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000ff01030aff00 04000aff0004000aff0004000aff0004000aff0004000aff0004000aff00 04000aff0004000aff0004000aff0004000a000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 init ^^^ control center launch 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000ff030798ffff000aff02030aff0504280aff 0a060000000aff0504290aff0a060000000aff05042a0aff0a060000000a ff05042b0aff0a060000000aff05042c0aff0a060000000aff05042d0aff 06030aff0a060000000a0000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 start, sweep from 40 to 45 bpm, then stop 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 00000000ff030798ffff000aff02030aff05042d0aff0a060a00000aff05 042d0aff0a061401000aff05042d0aff0a061e02000aff05042d0aff0a06 3205000aff05042d0aff0a063c07000aff05042d0aff0a06500a000aff05 042d0aff0a065a0e000aff06030a00000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 start, sweep from 1 to 10 km/h, then stop 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 0000000000000000ff030798ffff000aff02030aff05042d0aff0a06110f 000aff05042d0aff0a062110000aff05042d0aff0a063112000aff05042d 0aff0a065116000aff05042d0aff0a06611a000aff05042d0aff0a06811f 000aff05042d0aff0a069125000aff06030a000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 start, sweep from 1 to 10 mph, the stop 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 TX ID: 1677711 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000ff07030aff31160380000007 d90101061e0000000000000000000aff0004000a00000000000000000000 000000000000000000000000000000000000000000000000000000000000 0000000000000000ff31160381020307d90101061e000000000000000000 0a0000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000ff31160381020307d90706 061e0028000500000000000a000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 ff3116070000000000000000000000000000000000000aff09030a000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 ^^^ here i try to set the time : 01:02:03 AM, 4°C, 5m Alt...
Ok, I Hope this little tuto will help you
I think that the more useful command in this tuto is « xxd » : it can translate octet-stream to readable string and make the inverse operation with the « -r » option.
And now a litle script to watch the cpu load of your computer directly on your watch :
#! /bin/sh stty -F /dev/ttyACM0 speed 115200 # send the initialisation frame echo "ff0307beffff000aff02030a" | xxd -r -p> /dev/ttyACM0 sleep 1 while true do BPMDec=`cat /proc/loadavg | sed 's/\(.\)[.]\(..\).*/\1\2/g'` BPMHex=`printf "%02s" $(echo "ibase=10;obase=16;$BPMDec" | bc) | tr ' ' '0'` data=ff0504`echo $BPMHex`0aff0a060af3010a echo $data | xxd -r -p> /dev/ttyACM0 sleep 1 done # send the termination frame -- never used since there is a "while true" before echo "ff06030a" | xxd -r -p> /dev/ttyACM0 exit 0