Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Figuring out Samsung Accesory Protocol internals

OP javispedro

22nd October 2014, 02:30 PM   |  #11  
Junior Member
Thanks Meter: 2
 
11 posts
Join Date:Joined: Sep 2011
Quote:
Originally Posted by javispedro

After the description exchange is done, the watch will send a "authentication request" packet. This is a 65 byte bigint plus a 2 byte "challenge". The response from the phone should contain a similar 65 byte bigint, the 2 byte response, and an additional 32 byte bigint. If correct, the watch will reply with some packet I don't care about. Otherwise the connection will be dropped. It obviously looks like some key exchange. But this is the crypto part that's implemented in libwms.so....

About that 65-byte bigint... that is a 520-bit key. The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing (just like in bitcoin, so there are a lot of implementations of that code).
14th November 2014, 02:48 PM   |  #12  
Junior Member
Thanks Meter: 2
 
11 posts
Join Date:Joined: Sep 2011
Not forgotten about this!
Just an status update:
I'm still in the process of defining the API of the C library using javispedro's sources as template.
It's tougher than I originally supposed because the C++ code has a lot of forward-declarations of classes, which is very difficult to map into C. To counter that I have to move elements between structures and I'm not so comfortable with the codebase yet.
And then there is still the hard work of translating the Qt signals/slots to plain' old callbacks... and implementing the bluetooth part using bluez API... and... well, I hope that is all.
Anyway, patience .
The Following 2 Users Say Thank You to Antartica For This Useful Post: [ View ]
24th November 2014, 03:05 PM   |  #13  
OP Member
Thanks Meter: 33
 
43 posts
Join Date:Joined: Dec 2008
More
I've now had access to a Samsung S2 and thus I have been able to obtain more traces. The latest Git now contains code to connect to the notification manager service, thus allowing to send notifications from the phone to the watch.

That was the last missing part to be able to use the Gear 2 as a 'daily' smartwatch with my Jolla, so I've now also ported the code to run under Sailfish. In fact I'm using this setup at the moment. My first comment is "wow the vibrator IS weak".

You can find a log of sapd's (ie my code) startup qDebug() messages; they may be useful (if you can't yet get your code to run)

I suspect that there may still be some important battery issues because the watch keeps printing error messages about SAP services it can't find on the phone (and instead of sleeping, it starts busy polling for them.... :/ ). It does not seem to happen while the watch is out of the charging cradle, so it may not be important, but not sure yet.

As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...

Quote:
Originally Posted by Antartica

The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing

They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.
Attached Files
File Type: txt sapdlog.txt - [Click for QR Code] (4.5 KB, 16 views)
27th November 2014, 03:52 PM   |  #14  
Junior Member
Thanks Meter: 2
 
11 posts
Join Date:Joined: Sep 2011
Congratulations for managing to make it work with the Jolla .

I have finally found a suitable "flattened" class hierarchy as to be able to map your code into C; see the attachs. Basically, I have to move the functionality of SAPConnectionRequest, SAPSocket, CapabilityPeer and SAPConnection into SAPPeer, and then it is suitable for my needs.

Quote:
Originally Posted by javispedro

As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...

They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.

If you manage to describe it using mathematical formulas as in
http://en.wikipedia.org/wiki/Ellipti...tion_algorithm
it would be perfect, but I reckon that to be able write that you need intimate knowledge of the code and don't know if you have time for that
And identifying the hash function used would be a problem in itself...
One idea: how about a ltrace so we have the calls to the openssl library? That may uncover new hints.

Anyway, I have a lot of work before me until I need that, so don't fret over it.
Attached Thumbnails
Click image for larger version

Name:	sap_original.png
Views:	102
Size:	85.6 KB
ID:	3036544   Click image for larger version

Name:	sap_flattened.png
Views:	102
Size:	81.0 KB
ID:	3036545  
28th November 2014, 08:17 AM   |  #15  
Senior Member
Thanks Meter: 21
 
286 posts
Join Date:Joined: May 2006
Hi there! Any chance that the Gear can (really) work with an iPhone?
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes