I was gonna go to the hackspace and finish my hat, then bodies happened.
Instead, I'm doing some light Sunday reading.
I have a pair of chinese rave glasses that can display scrolling text, bitmaps, or animations. They also make you look way too cool for school.
They speak Bluetooth to a shady APK, I've put it on a disconnected phone and I'm reverse engineering the protocol. https://queer.af/media/kPpwoBGP0l_uV41DNcs
By the way, this is from Cyberdog, if anybody wants a pair: https://www.cyberdog.net/products/rave-glasses
I also have one of these collars, which is next once I finish this: https://www.cyberdog.net/collections/accessories-light-up/products/future-collar?tag=
Here's the catch: the GATT collection only includes a single descriptor (0004), and it's not writable.
Wireshark shows that the app, when you toggle them off and on, sends a GATT Command write (0x52) to handle 0x0003, with value: 01 00 02 06 09 02 05 03.
I'm not sure how to coerce BlueZ to let me do this.
clearly, the answer is to just rewrite it in a language that only has Box<dyn ::std::error::Error>
https://github.com/liclac/eyesemoji is now in Go, and has a lil' CLI :3
Images are bitmaps, 1 byte = 1 column, 1 bit = 1 row on/off, there's a header whose meaning yet eludes me, and for some reason every other byte appears to do noting at all
0xAA, 0x00, 0x55, 0x00, 0xAA, 0x00 https://queer.af/media/q0UGM6krRm5NE3MQ0K8
before I lose it again: it can display a 9x64 scrolling bitmap, FF80 (0b11111000) lights a full column
packet sequence for filling the whole thing with a pattern, with FF80s on each side - the 03 at the end is seemingly ignored:
@uint8_t My current problem is honestly how I have no idea how to reproduce these two packets in BlueZ, or sniff my bluetooth bus to compare what I'm actually sending o_O
@embr @uint8_t oooh ble I did that once upon a time! Wireshark should be able to do a capture (I know it works on Linux, hcidump or sudo wireshark, suspect it works on macos and maaaaybe on Windows too? You can capture in another app and load in Wireshark for analysis anyways.)
It's possible that your Android ble stack is caching stuff that it retrieved when the device first paired, so you might get more handle descriptors if you can get it to forget that cache and capture the initial handshake. It's also possible/likely that the sketchy apk just has handles hardcoded.
You can probably poke at struct internals to force bluepy or the C BlueZ bindings to send writes to the handles you already figured out even if the GATT server doesn't provide a valid query response describing them.
I am not finding any of my old source code to refer to alas ... Will dig a little bit more.
Also, I now want a pair of those glasses.:)
Excellent work! I have checked those out before, but didn’t want to commit to the insecure software end of it.
@ben no idea, the app loads an encrypted dalvik VM blob manually and that's about the part where I ran away screaming from any attempt to disassemble it
instead, I'm doing this the old fashioned way: using an offline phone I will wipe after this, the Bluetooth HCI log developer option, and Wireshark
@embr I guess you could do this with software too, but if you've got the hardware why not use it
you're sending out bluetooth from the opaque blob either way
queer.af, your cosy queer space queer.af is a mastodon instance for those who are queer or queer-adjacent who would like a more pleasant social media experience.