Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,802,856 Members 39,011 Now Online
XDA Developers Android and Mobile Development Forum

Figuring out Samsung Accesory Protocol internals

Tip us?
 
javispedro
Old
(Last edited by javispedro; 28th August 2014 at 01:09 AM.)
#1  
Junior Member - OP
Thanks Meter 21
Posts: 28
Join Date: Dec 2008
Default Figuring out Samsung Accesory Protocol internals

Hello,

I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.

Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on

Code:
packed struct Frame {
 uint16_be length_of_data;
 char data[length_of_data];
}

packed struct FrameWithCRC {
 uint16_be length_of_data;
 uint16_be crc_of_length;
 char data[length_of_data];
 uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.

I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.

Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.


Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.

However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
  1. Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
  2. Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
  3. Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
    But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
  4. Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
The Following 2 Users Say Thank You to javispedro For This Useful Post: [ Click to Expand ]
 
noellenchris
Old
#2  
noellenchris's Avatar
Recognized Developer / Retired Forum Moderator
Thanks Meter 774
Posts: 2,435
Join Date: May 2007
Location: Marlton, NJ
Quote:
Originally Posted by javispedro View Post
Hello,

I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.

Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on

Code:
packed struct Frame {
 uint16_be length_of_data;
 char data[length_of_data];
}

packed struct FrameWithCRC {
 uint16_be length_of_data;
 uint16_be crc_of_length;
 char data[length_of_data];
 uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.

I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.

Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.


Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.

However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
  1. Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
  2. Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
  3. Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
    But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
  4. Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
I think your thread should probably go in the Dev section for Tizen. Have you made any development? If your want it moved, report your own post with the button in top right labeled report. You can then suggest your thread be moved to the new Tizen Development section. Ok, I wish you all the luck, you seem to be very talented programmer/dev. Thanks for your contributions.

Chris


TMOUS Galaxy Note III Rooted Tweaked
Samsung Galaxy Gear 1 TizenMod by Skin1980
TMOUS Galaxy S4 Stock(Son's)
HP TouchPad CM9 Nightlies
-----------------------------------
T-Mobile HTC HD2 (I will keep this one till it dies!)
Cotulla's MAGLDR NAND w/CWM & CM10

[TMOUS Galaxy Note II][TMOUS Galaxy S III][TMOUS Galaxy S II][AT&T Fuze (Rafael)]
[Cingular(Refurb) 8525 (Hermes 100)][Sprint Vogue] [Cingular 8125 Wizard...gone now;(]

XDA Forum Rules

These phone's are addicting! The more tweaks/apps etc. I read about the more I have to cram into my phone! Can my phone overdose???
 
javispedro
Old
#3  
Junior Member - OP
Thanks Meter 21
Posts: 28
Join Date: Dec 2008
Quote:
Originally Posted by noellenchris View Post
I think your thread should probably go in the Dev section for Tizen.
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).

Quote:
Originally Posted by noellenchris View Post
Have you made any development?
Yes, lots of progress. I have been able to write a program that connects to the Gear2 from my PC, succesfully "completes" the setup program and synchronizes the date&time. Things like changing the background color etc. are now trivial. I will soon port it to my Jolla.

I am now looking into how to send notifications to the watch. I've not been able to get Gear Manager to actually send any notifications (to use as "reference"), because goproviders crashes when I try to simulate notifications on my android_x86 VM
If anyone can send me an HCI / Bluetooth packet capture of their Android device while it is sending notifications to the Gear2 I would really appreciate it.


Unfortunately, the main problem here is that Samsung uses some cryptographic authentication as a form of "DRM". I am not exactly sure why.
There was no way for me to discover how the crypto worked so I took the unclean approach and dissasembled their crypto code (libwms.so). That means there's no way I would be able to distribute the code now without risking a lawsuit from Samsung.

Sadly this means that while I can distribute the protocol specifications I obtained, legally distributing "Gear Manager replacements" is probably impossible.
 
noellenchris
Old
#4  
noellenchris's Avatar
Recognized Developer / Retired Forum Moderator
Thanks Meter 774
Posts: 2,435
Join Date: May 2007
Location: Marlton, NJ
Quote:
Originally Posted by javispedro View Post
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).
Ya, I was kinda in a Gear 1 mind set, and they have separate threads for Android and Tizen....:P

Chris


TMOUS Galaxy Note III Rooted Tweaked
Samsung Galaxy Gear 1 TizenMod by Skin1980
TMOUS Galaxy S4 Stock(Son's)
HP TouchPad CM9 Nightlies
-----------------------------------
T-Mobile HTC HD2 (I will keep this one till it dies!)
Cotulla's MAGLDR NAND w/CWM & CM10

[TMOUS Galaxy Note II][TMOUS Galaxy S III][TMOUS Galaxy S II][AT&T Fuze (Rafael)]
[Cingular(Refurb) 8525 (Hermes 100)][Sprint Vogue] [Cingular 8125 Wizard...gone now;(]

XDA Forum Rules

These phone's are addicting! The more tweaks/apps etc. I read about the more I have to cram into my phone! Can my phone overdose???
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes