Posts Tagged ‘ ez430-chrono ’

ez430-Chrono BlueRobin reverse engineering

this is a quick-wrote draft, it will be reviewed

Hello
here is just a little tutorial to give you some idea for reverse engineer and hack your next gadget

today i would like to know how the blueRobin chest strap can communicate with the ez430-chrono

the software delivered with the watch contain a « BlueRobin emulator »

the software only launch when the CC1111 dongle is plugged – ok, no problem

the dongle is seen as /dev/ttyACM0 and is configured at 115200 baud

let’s assume we have 2 dongles CP2102 providing usb serial port /dev/ttyUSB0 and /dev/ttyUSB1

and they are connected together like this

gnd ---- gnd
RX  <--- TX
TX  ---> RX

close the software, unplug the CC1111 dongle.

plug the 2 dongle CP2102 (FTDI dongles  will certainly work too)

create a fake ttyACM0 symbolicaly linked to /dev/ttyUSB0

sudo ln -s /dev/ttyUSB0 /dev/ttyACM0

set the speed of both dongle:

sudo stty -F /dev/ttyUSB0 speed 115200
sudo stty -F /dev/ttyUSB1 speed 115200

in a terminal be ready to read the output of ttyUSB1 = what the software send to ttyACM0

cat /dev/ttyUSB1 | xxd -p

the probleme here is that xxd only write the line to the terminal when it get a full line, so we can use the option « -c 10 » or even « -c 1 » to reduce the line, but it would be hardly readable.

I prefered send a bunch of zeros from another terminal whit this command:

echo 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | xxd -p -r  > /dev/ttyUSB0

so this technic help me to cut the communication in several sentence

In Fine, I get this : ( I add some comment while i capture to remind me what the « sentence » means)

mathieu@confusion:~$ cat /dev/ttyUSB1 | xxd -p
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000ff01030aff00
04000aff0004000aff0004000aff0004000aff0004000aff0004000aff00
04000aff0004000aff0004000aff0004000a000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
init ^^^ control center launch
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000ff030798ffff000aff02030aff0504280aff
0a060000000aff0504290aff0a060000000aff05042a0aff0a060000000a
ff05042b0aff0a060000000aff05042c0aff0a060000000aff05042d0aff
06030aff0a060000000a0000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
start, sweep from 40 to 45 bpm, then stop
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
00000000ff030798ffff000aff02030aff05042d0aff0a060a00000aff05
042d0aff0a061401000aff05042d0aff0a061e02000aff05042d0aff0a06
3205000aff05042d0aff0a063c07000aff05042d0aff0a06500a000aff05
042d0aff0a065a0e000aff06030a00000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
start, sweep from 1 to 10 km/h, then stop
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
0000000000000000ff030798ffff000aff02030aff05042d0aff0a06110f
000aff05042d0aff0a062110000aff05042d0aff0a063112000aff05042d
0aff0a065116000aff05042d0aff0a06611a000aff05042d0aff0a06811f
000aff05042d0aff0a069125000aff06030a000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
start, sweep from 1 to 10 mph, the stop
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
TX ID: 1677711
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000ff07030aff31160380000007
d90101061e0000000000000000000aff0004000a00000000000000000000
000000000000000000000000000000000000000000000000000000000000
0000000000000000ff31160381020307d90101061e000000000000000000
0a0000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000ff31160381020307d90706
061e0028000500000000000a000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
ff3116070000000000000000000000000000000000000aff09030a000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
^^^ here i try to set the time : 01:02:03 AM, 4°C, 5m Alt...

Ok, I Hope this little tuto will help you

I think that the more useful command in this tuto is « xxd » : it can translate octet-stream to readable string and make the inverse operation with the « -r » option.

And now a litle script to watch the cpu load of your computer directly on your watch :

#! /bin/sh

stty -F /dev/ttyACM0 speed 115200

# send the initialisation frame
echo "ff0307beffff000aff02030a" | xxd -r -p>  /dev/ttyACM0

sleep 1

while true
do  
    BPMDec=`cat /proc/loadavg | sed 's/\(.\)[.]\(..\).*/\1\2/g'`
    BPMHex=`printf "%02s" $(echo "ibase=10;obase=16;$BPMDec" | bc) | tr ' ' '0'`

    data=ff0504`echo $BPMHex`0aff0a060af3010a

    echo $data | xxd -r -p>  /dev/ttyACM0
    sleep 1

done

# send the termination frame -- never used since there is a "while true" before
echo "ff06030a" | xxd -r -p>  /dev/ttyACM0

exit 0
Publicités