Reverse-engineering Garmin FR-220

[Trevor Feeney]

I recently received a FR-220, which uses BLE with the Garmin iOS app to upload workouts.  What I'd like to do is try and create an app for OS X that will also be able to communicate with this watch.  I've done a bit of poking around with LightBlue, and tried to figure out how I can capture the data between the watch and the App so I can get a better idea as to how they communicate.  Thus far all I know is they have a GATT profile, and there's also a custom UUID/characteristic that can be subscribed to.  I'm wondering if there's a way I can use BTstack to grab some more info on the communication and figure out what's going on and how to communicate with the watch.

Thanks for your help!

[Matthias Ringwald]

Hello Trevor

BTstack won’t help you with this, however, parts of BTstack are used in the Bluetooth Companion tweak from Cydia. If you install it, the Bluetooth settings provide a “Packet Logger” toggle that does what it’s name suggests. The log is stored as /tmp/BTServer.pklg. You can open it with Apple’s PacketLogger tool or Wireshark. (it won’t work on iOS 7 yet)

best

matthias

On 01.01.2014, at 22:42, Trevor Feeney <tr...@feens.org> wrote:

I recently received a FR-220, which uses BLE with the Garmin iOS app to upload workouts.  What I'd like to do is try and create an app for OS X that will also be able to communicate with this watch.  I've done a bit of poking around with LightBlue, and tried to figure out how I can capture the data between the watch and the App so I can get a better idea as to how they communicate.  Thus far all I know is they have a GATT profile, and there's also a custom UUID/characteristic that can be subscribed to.  I'm wondering if there's a way I can use BTstack to grab some more info on the communication and figure out what's going on and how to communicate with the watch.

Thanks for your help!

--
You received this message because you are subscribed to the Google Groups "btstack-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to btstack-dev...@googlegroups.com.
To post to this group, send email to btsta...@googlegroups.com.
Visit this group at http://groups.google.com/group/btstack-dev.
For more options, visit https://groups.google.com/groups/opt_out.

[Trevor Feeney]

Thanks for the tip...do you know if there's an ETA on having it iOS 7 compatible?

[Matthias Ringwald]

Hi Trevor

well, kind a. I’m busy preparing BTstack for certification in January and won’t have time to work on iOS JB projects. After that, updating Bluetooth Companion will be top on the list, So, sometime in February. If you can, please find a JB-able device with iOS 6 for this.

other options are using a TI CC2540 Dev Kit (only $99) and flashing it as a Sniffer. But that’s less convenient than my packet logger.

best

matthias

[Trevor Feeney]

Is this still in the works for sometime this month (or is there some way for me to keep an eye on BT Companion updates)?

[Matthias Ringwald]

Hi Trevor

yes, sometimes this month is still expected, at least for the logging part. I might consider releasing a Bluietooth Companion Logger, that only does logging and not support my other extensions.

I’m announcing updates to my tweaks on twitter @mringwal but I won’t release an update of BTC that doesn’t fix at least one commercial package (I would get too many annoying emails otherwise).

best

matthias

[Trevor Feeney]

Is there some literature on working with BLE that you could point out?  I can't seem to find much on BLE (other than iBeacon), and I'm having a couple of issues getting started...here's what I have so far:

Using Lightblue, I know that the watch has the services 1800, 1801, and 9B012401-BC30-CE9A-E111-0F67E491ABDE.  1800 has characteristics 2A00, 2A01. 2A04, with 2A00 being write-enabled.  The last service has 2 characteristics, one allowing writes, and the other allowing subscribe/read.  With the BTC logs I can see all of the communication between my watch/phone, and it's using channel 0040.  However I can't figure out where I should be writing (I'm assuming either the 2A00 or the other) when I test in Lightblue, and I'm not sure what to look for in terms of commands I need to be sending from the logs (I've tried sending the hex values that are listed under the ATT send commands in the logs).

Thanks!

[Matthias Ringwald]

Hi Trevor

Apple’s documentation is usually rather good, and that’s also valid for the LE aka CoreBluetooth docs.
https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/CoreBluetooth_concepts/AboutCoreBluetooth/Introduction.html

If you want a bit more prose, the creator of BLE wrote this:
http://www.amazon.com/Bluetooth-Low-Energy-Developers-Handbook/dp/013288836X/ref=sr_1_sc_1

As for your watch, the services 1800 and 1801 are standard (GAP Service, GATT Service), so the data must be provided about the other one with the long UUID.
To transmit larger data over LE, I would use the indication/notification part to “stream” the data back. If you post the log file, I could tell you quickly.

You’ll either need to write something to the writable characteristic, or, enable notification/indication. In the log, you’ll see ATT PDUs, which are explained by the Core Bluetooth specification. Just look for the first ATT Write Request or Write Command and reproduce that.

btw.. do you think that the programmable Pebble smartwatch could provide the same functionality as your watch assuming it it gets connected to a BLE Heartrate monitor? I’ve just got one and are wondering if it could replace specialised devices like yours.

best
Matthias

> For more options, visit https://groups.google.com/d/optout.

[Trevor Feeney]

Thanks for the links...I'll be digging into those.  I've to work with Bluetooth (which I'm sure is obvious), so I'm still figuring this stuff out.  I'm attaching the log in case it's of any use.  I'm assuming that when I use something like CoreBluetooth, I can ignore the packets for sorting out the MTU, etc, and just focus on the services/characteristics that the watch offers.

As for the Pebble, the biggest thing that it'd be missing is GPS functionality, which is at the core of these watches.  However, with hooking up a bluetooth heart rate strap, I'm sure you could closely mimic a lot of the fitness trackers that are coming out (i.e. the Garmin VivoFit).

Trevor

[Trevor Feeney]

I've made some good progress, but am definitely stuck now.  I've managed to wrap my head around how the basic communications work, and via corebluetooth I'm both subscribing to the appropriate characteristic and sending to the proper characteristic.  

From the logs, I can see that a command is sent to handle 000b, value 02 00 (I can't figure out which UUID that is though, as there's only two writable ones and neither are that).  After that, it turns on notifications to handle (0x0011), which I've managed to as well.

Then the real action starts...it seems to send the name of my iPhone, followed by a few unknown commands, the name of my iPhone again, and a couple of more commands.  Once that's finished, I notice that the characteristic that's being subscribed to starts firing back a whole whack of useful xml (looks to contain the actual use data from the watch).

So for now, my goal is to try and get ahold of that data...but to do that I need to figure out what the other commands are, and why it doesn't seem to respond when I send over the same commands.

Any thoughts/suggestions?

[Matthias Ringwald]

Hi Trevor

The first two write (02 00 into handle 0x00b and 0x0011) enable the notifications for the corresponding Characteristics. You can see the UUIDs of theses Attributes in the Find Information Response (UUID 2902 is the Client Characteristic Configuration).

I would compare the logs from your test app with the one you got from the official app and try to match it line by line. Also, check if parts of the data change. This might get more trick :)

Hope that helps a bit 

 Matthias

[Alic Wired]

Hi Trevor,

Any luck getting somewhere with this? I'm real upset about Garmin not having a Windows Phone app, and was poking around my new Garmin Vivoactive's services, which are like yours (1800, 1801, and 9B012401-BC30-CE9A-E111-0F67E491ABDE) plus one other one. 

Thanks,

Alic

[Trev Boyd]

Hi all,

I was wondering if you had made any more progress on this?

I have started looking into interfacing my Windows Phone with a vivofit over BLE.  I can see it exposes 3 services:

00001800-0000-1000-8000-00805f9b34fb

00001801-0000-1000-8000-00805f9b34fb

9b012401-bc30-ce9a-e111-0f67e491abde

The 1st two are standard ones (Generic Access and Generic Attribute) and the 3rd must be a custom Garmin one (same as the Forerunner 220).  The custom service has 2 characteristics:

df334c80-e6a7-d082-274d-78fc66f85e16: : WriteWithoutResponse

4acbcd28-7425-868e-f447-915c8f00d0cb: : Read, Notify

I can set up my app to subscribe for notifications on the 2nd characteristic, and then when I press the "sync" button on the vivofit, it starts returning data.  Unfortunately, this just looks like the device name ("vivofit") repeated over and over.  The hex values of the data are:

0 2 25 4 a0 13 72 a 2d 7 9 e2 22 e8 90 1 c8 13 8 76 c3 ad 76 6f 66 69 74 8 76 c3 ad 76 6f 66 69 74 3 83 4d 0

Which correspond to (regular ASCII printable characters only with others removed): %r-"vvofitvvofitM%r-"v

I'm sure I'm supposed to write something to the one writeable characteristic to get the vivofit to produce more data, but have had no luck so far.

I am very new to BLE - are there any easy ways to trace the communication between the official Garmin Connect app on my iPad and my vivofit?

Thanks in advance

Trev

[Matthias Ringwald]

Hi Trevor

If you have or can get hold of a JB iOS device, you can install my "Bluetooth Companion" from Cydia, which adds a PacketLogger toggle to the Bluetooth preferences. Log is at /tmp/BTServer.pklg.

If not, you could inject a shared library into the Garmin app, that uses swizzling to hook all Bluetooth method calls and do the logging there. However, that requires a rather advanced knowledge of iOS, Objective-C, Mach-O file formats, etc..  I'm also not sure if the app would need to get decrypted first, either. 

Finally, you could try to use a Bluetooth sniffer - most BLE dev kits can be used for that. (e.g. the TI CC2540 one)

The first option is much easier and can be done by anyone. I'm just pointing out the second for completeness. I'd really go with the JB iOS device. Aside from finding a device with iOS 8.1.1 or lower, it's easy. :)

Best

 Matthias

[Trev Boyd]

Hi Matthias,

Thanks for your reply.  I do not have access to an iOS device lower than 8.3 :-(

I did however get hold of a Motorola Moto-E on which I have installed the Garmin Connect app and enabled Bluetooth packet capture from the developer options.  I have captured the log below.  I can see in it that the data sent to the phone in packets 353 and 354 match exactly the data I got on my WP above (0 2 25 4 a0 13 72 a 2d 7 9 e2 22 e8 90 1 c8 13 8 76 c3 ad 76 6f 66 69 74 8 76 c3 ad 76 6f 66 69 74 3 83 4d 0) which is encouraging :-)

I then think that the phone writes to a characteristic (I assume the writeable one "df334c80-e6a7-d082-274d-78fc66f85e16" although I don't know how to tell that - it just shows a handle reference 0x000e - how do I correlate that back to a characteristic?) with a whole string of data.  I believe this data is this in hex - have I interpreted that correctly?

00:02:3d:05:88:13:a0:13:02:70:05:ff:ff:39:30:01:03:11:04:2c:40:0e:4d:6f:74:6f:45:32:28:34:47:2d:4c:54:45:29:08:6d:6f:74:6f:72:6f:6c:61:0e:4d:6f:74:6f:45:32:28:34:47:2d:4c:54:45:29:01:e0:40:00

It looks like there is an extended conversation that results in XML being sent back to the app (very similar to Trevor's experience above).  However, if I modify my WP app to send the same data above, I keep getting the same response as before ("vivofit" repeated).

Am I missing something in the conversation up to packet 359 in the log file, or am I interpreting the data the app sends in packets 353/354 incorrectly?

Thanks :-)

Trev

[Matthias Ringwald]

Hi Trev

The Android log is as good as an iOS one. :)

Ok. So, ATT is a purposely simple protocol to interact with a simple key/value store. There are no Characteristics there. Instead, Services and Characteristics are modeled using the GATT profile. The logs will only show you ATT interactions.

So, there are 3 services: 1800, 1801, and the custom one. It starts at handle 0x000c.

The actual value of the first custom characteristics is at handle 0x000e. The second is at 0x0010. Notifications can be enabled by writing to handle 0x011. Which is done in the log in packet 344. Notifications for this second characteristic show up as value updates of 0x0010. The writes are to the first Characteristic.

So, I would suggest to try to re-implement the protocol, preferably on the same Android device, it will then be easier to compare the logs between the original app and yours.

Good luck!

 Matthias

<btsnoop_hci.log>