Hacking the Casio G-Shock GW-B5600 BLE

Useful topic?

  • Yes

    Votes: 4 80.0%
  • No

    Votes: 1 20.0%

  • Total voters
    5
Search This thread

mougino

New member
Jan 12, 2020
4
8
Hello all, this is my first post here! :)

In this article I will explain my method of hacking the Square G-Shocks that make use of a Bluetooth module (I have a GW-B5600, but it should theoretically work on the GMW-B5000 too) with the goal to create our own Android app that will allow to get info and set the watch via BLE (Bluetooth Low Energy) commands/requests.

The tools I am using are: (sorry no link I am too new)
  • nRF Connect for Android by Nordic Semiconductor from the Play Store
  • Wireshark desktop (Windows/Mac) from the official website
  • The official "G-Shock Connected" Android app from the Play Store
  • And adb that can be found in the Android platform tools (by default in "C:\Users\usrname\AppData\Local\Android\Sdk\platform-tools")

Your phone does not need to be rooted but needs the Developer options enabled.

1 Discover the services offered by the G-Shock

I am using nRF Connect installed from the Play Store to scan for BT devices.
Long-press the (C) (bottom left) button on the B5600 to enable BT on the watch.
Hit Scan in nRF and search for "CASIO GW-B5600" and tap it to show the following details:
Code:
Device BT Name: 	CASIO GW-B5600
Device BT Address:	[B]EB:1C:FF:90:C2:34[/B]
Offered services:	0x1801 				Generic Attribute
			0x1800 			Generic Access
				0x2A00 (R)	Device Name
				0x2A01 (R)	Appearance
			0x1804 			Tx Power
				0x2A07 (R) 	Tx Power Level
			0x26EB00 0D		Unknown Service
				(UUID 0x2902 for all)
				[B]0x26EB002C (W*)	Custom Service #2C[/B]
				[B]0x26EB002D (NW)	Custom Service #2D[/B]
				0x26EB0023 (NW)	Custom Service #23
				0x26EB0024 (NW*)Custom Service #24
(R) is read only (W) write (W*) write no response (N) notify.
The important information has been set in bold: the BT address that we will use to analyze the packets, and the 2 services that I called #2C and #2D that are used by the official G-Shock app to get and set info from/to the watch.

2 Enable Bluetooth traces on the phone

After that, open the phone Developer options > Enable Bluetooth HCI snoop log.
Or use the USB debugging mode, plug the phone to the computer and type the following command in a prompt:
Code:
adb shell settings put secure bluetooth_hci_log 1

To know where the BT traces will be stored, type the following command:
Code:
adb shell cat /etc/bluetooth/bt_stack.conf
and look at the line starting with 'BtSnoopFileName=' to locate the BT log files.

3 Capture BT activity and save the logs on computer

Install and run the "G-Shock Connected" app on your phone from the Play Store.
Do manipulations between the watch and the app, take note of the time you make them.
Then plug the phone and type:
Code:
adb pull /data/log/bt/btsnoop_hci*.log
Note: the place and name of the logs are for my Huawei Mate 10. You will need to adapt the path with the one you got at step 2.

4 Analyze the BT traces in Wireshark

Open Wireshark and drag and drop one of the "btsnoop_hci*.log" files pulled to the computer onto the program.
Add a filter on the G-Shock BT address we got from nRF Connect at step 1:
Code:
bluetooth.addr==EB:1C:FF:90:C2:34
And hit enter to see the BLE activity on the watch.

Now the fun (or the boring part, it depends ;)) begins... Understanding the BT requests/answers (get info) and BT commands (set info)!
 

mougino

New member
Jan 12, 2020
4
8
In Wireshark, the important information for each BT frame are contained in the fields
  • Bluetooth Attribute Protocol > Handle > UUID
  • and in Bluetooth Attribute Protocol > Value

The very first -easiest- command I was able to identify is the one to Get and Set the Home City and the 5 World Time (WT) Cities.
When you analyse the BT packets, you can see the name of the cities written in all letters in the Value field:
Code:
0000                                       1f 01 48 4f               ..HO
0010   4e 47 20 4b 4f 4e 47 00 00 00 00 00 00 00 00 00   NG KONG.........

We can observe that to GET the Home City, we send a Write command with the value 1F00 to the service 0x26EB002C (aka Custom Service #2C). In return, we will receive a notification through the service 0x26EB002D (aka Custom Service #2D) containing an echo of the Command ID (1F00) followed by the name of the Home City in upper-case (e.g. "PARIS").

To SET the Home City is just as easy: we send a Write request to the service 0x26EB002D (Custom Service #2D) with the value 1F00 followed by the name of the new Home City on 18 Bytes (e.g. "PARIS"), tailed with 0x00.

GETting and SETting the 5 World Time Cities is very similar: you only need to use the Command IDs 1F01 to 1F05...
 

mougino

New member
Jan 12, 2020
4
8
The next command I reverse engineered is the one to set the date and time.

I started to search for the hexadecimal value "07 E4" in the traces (2020 in decimal = the current year). The search returned zero result... If finding a WORD (value encoded on 2 bytes) in big endian* fails, you gotta try searching it in little endian* ;) so I did another search for "E4 07" this time, and bingo! It appears in a SET command starting with the ID 0x09.

* search Wikipedia for "Endianness"

The full structure of the binary value is:
Code:
  ([B]09[/B])  YYYY MM DD HH mm ss ?? ?? 01	?? ?? is the milliseconds in big endian(?)

	[B]Mon.13-JAN (15:54:10) traces[/B]
  ([B]09[/B]) E4 07 01 0D 0F 36 0B 01 F2 01	   --> 2020-01-13 15:54:11 (,498?)

	[B]Wed.15-JAN (15:29:27) traces[/B]
  ([B]09[/B]) E4 07 01 0F 0F 1D 1E 03 44 01	   --> 2020-01-15 15:29:30 (,836?)

You can notice there's a difference in the trace timestamp and the time sent, respectively 1 second and 3 seconds. That is quite normal: I disabled the time synchronization in the watch settings, so the watch time can deviate from the atomic time by a few seconds (the user guide states a tolerance of +/- 15s per month average).
 

seanlano

Member
Mar 3, 2017
9
6
Hey, did you ever manage to get any further with this @mougino ? I've also got one of these watches, and have been playing around with the BLE connection to it. I've managed to successfully set the alarm times and on/off state – but so far haven't had any luck with setting the actual time. I tried writing with the op-code you suggested of 0x09, but it doesn't seem to actually do anything for me.
 

izivkov

Member
Dec 28, 2019
25
11
Hope somebody can help me. I'm having trouble getting/setting time on my Casio GW-B5600BC-2BJF. I can get and Set most other things like alarms, home city, etc using the #2D command (Characteristic: 26eb002d-b012-49a8-b1f8-394fb2032b0f), but when I try to set the time, it has no effect. The command does not complain, but does not change the time. Should I be using a different characteristic? Here are supported BLE services on my watch:
[CD:85:24:01:62:17][LE]> connect
Attempting to connect to CD:85:24:01:62:17
Connection successful
[CD:85:24:01:62:17][LE]> characteristics
handle: 0x0003, char properties: 0x02, char value handle: 0x0004, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x0005, char properties: 0x02, char value handle: 0x0006, uuid: 00002a01-0000-1000-8000-00805f9b34fb
handle: 0x0008, char properties: 0x02, char value handle: 0x0009, uuid: 00002a07-0000-1000-8000-00805f9b34fb
handle: 0x000b, char properties: 0x04, char value handle: 0x000c, uuid: 26eb002c-b012-49a8-b1f8-394fb2032b0f
handle: 0x000d, char properties: 0x18, char value handle: 0x000e, uuid: 26eb002d-b012-49a8-b1f8-394fb2032b0f
handle: 0x0010, char properties: 0x18, char value handle: 0x0011, uuid: 26eb0023-b012-49a8-b1f8-394fb2032b0f
handle: 0x0013, char properties: 0x14, char value handle: 0x0014, uuid: 26eb0024-b012-49a8-b1f8-394fb2032b0f
[CD:85:24:01:62:17][LE]>

Here is the command I'm sending:
Wrote to characteristic 26eb002d-b012-49a8-b1f8-394fb2032b0f | value: 0x09 E6 07 03 19 0B 29 07 05 4F 01

Thanks in advance.
 
Last edited:

izivkov

Member
Dec 28, 2019
25
11
Hey, did you ever manage to get any further with this @mougino ? I've also got one of these watches, and have been playing around with the BLE connection to it. I've managed to successfully set the alarm times and on/off state – but so far haven't had any luck with setting the actual time. I tried writing with the op-code you suggested of 0x09, but it doesn't seem to actually do anything for me.
Same here. Did you resolve this? See my message above. Thanks.
 

seanlano

Member
Mar 3, 2017
9
6
OK, I will let you know if I figure it out.

Just curious, are you wring an Android app for the watch?
I was planning on having something running on a Raspberry Pi Zero W – I can program, but I've never made an Android app. My plan was to do something in Python, ideally having the Pi Zero running somewhere in my bedroom so that the Casio watch can do the time synchronisation at night. If I can get that working I'd also thought about setting some alarms and reminders for the day ahead, like maybe connect it to a calendar and put any important events into the reminders function of the watch, things that the existing Casio app can't do. An Android app would be a better way of doing this, but I figured I'd get it working in Python first since it's faster for me.
 

izivkov

Member
Dec 28, 2019
25
11
Ok, thanks for the info.
I more or less figured out how to set the time. It involves setting the DST for all world locations first. I guess makes sense, since the casio will update the time for all locations. I still don't understand some things so I will need to figure it out first, and I can share if you are interested.
I am working on an open source Android app to integrate the Casio watch with Google services on android, such as calendar and Alarm ckock. It will not replace the official app. I have been working on this app for about a month now, and got the alarms and now the time setting working. I think the callender integration will be the most challenging, since I don't know what the data means to Casio.

Currently the github is private, because it is WIP, but I will make it public when it is ready.
 
Last edited:

izivkov

Member
Dec 28, 2019
25
11
@seanlano I have the basic app running, except for the reminders. If you like to try it, here is the github:
It is private, so not sure if you can access it, so let me know.

If you don't want to bother building the APK, I have put it on on my Google drive:

I'm curious to see if for you the local time works properly, and the battery level is correct. Where are you located?

Of course, use at your own risk. It might screw up some settings on your watch. In that case, you may have to reset it like this:


Ivo
 
Last edited:

seanlano

Member
Mar 3, 2017
9
6
I'm curious to see if for you the local time works properly, and the battery level is correct. Where are you located?
Hey @izivkov, I tried it out and it seems to mostly work! :D
The time setting worked correctly (I made sure by manually setting the time to be very wrong, and your app brought it back to the correct time). The home time zone (Sydney) was correct too.
However, the battery level didn't work – the Casio app shows my watch at 100% but your app shows only maybe 20%.
The alarms worked well too, although I found that any time I set the alarms it turns off the hourly signal, and the app doesn't have a way to turn it back on (this isn't a big deal though, since it's only a couple of buttons to press on the watch).

Keep up the good work!
 

izivkov

Member
Dec 28, 2019
25
11
Hey @izivkov, I tried it out and it seems to mostly work! :D
The time setting worked correctly (I made sure by manually setting the time to be very wrong, and your app brought it back to the correct time). The home time zone (Sydney) was correct too.
However, the battery level didn't work – the Casio app shows my watch at 100% but your app shows only maybe 20%.
The alarms worked well too, although I found that any time I set the alarms it turns off the hourly signal, and the app doesn't have a way to turn it back on (this isn't a big deal though, since it's only a couple of buttons to press on the watch).

Keep up the good work!
Hey, thanks for the feedback.

- I did not notice the hourly signal setting and will fix it. Possibly add a setting to the app to turn it on/off.
- For the battery level, I was not sure I was getting the right value, but for me seemed to be about right. Obviously, should look at other ways to set it.
- I'm working on Calendar events integration with Watch's reminders, and when I finish this and fix these issues you mentioned I will have another version and will let you know.

Cheers
 
  • Like
Reactions: seanlano

izivkov

Member
Dec 28, 2019
25
11
Hey, thanks for the feedback.

- I did not notice the hourly signal setting and will fix it. Possibly add a setting to the app to turn it on/off.
- For the battery level, I was not sure I was getting the right value, but for me seemed to be about right. Obviously, should look at other ways to set it.
- I'm working on Calendar events integration with Watch's reminders, and when I finish this and fix these issues you mentioned I will have another version and will let you know.

Cheers
Hay, thanks for starring my github. I moved the code to another repository: https://github.com/izivkov/CasioGShockPhoneSync, which is now public. Feel free to star the new one. ;-)

Basically, I added Google calendar event support, and fixed the issue with hourly chime getting reset. Still cannot figure out how the battery level is read. I get a value using command 0x28, but the value does not make sense. I get back something like 0x28 0x0f 0x17 0x00 for about 25% charged battery, and 0x28 0x13 0x19 0x00 for almost fully charged one. I think I will disable the battery icon until I can figure what is going on.

Anyway, adding some documentation now. Hope other people can contribute to this project and possibly support more watch models.
 

izivkov

Member
Dec 28, 2019
25
11
I'm a bit stuck. I'm trying to detect the difference between GW-B5600 long-press lower left button and short-press lower-right button as far at connection to the Android device is concerned. The app on the phone should be able to tell the difference, becase the official app acts differntly when the right button is pressed, i.e. sets the current location. This does not happen for left-button connection. But the data sent to the phone from the watch is identical. If somebody has figured this out, please let me know.
 

izivkov

Member
Dec 28, 2019
25
11
For those who are interested in how to communicate with the Casio G-Shock 5600 BT watches, here is the latest github I created:


And you can get the android app on PlayStore:


Enjoy
 

drunkenHiker

Member
May 16, 2022
22
0
I've been working on a very similar app but for a slightly different Casio model. I'm not very familiar with the BLE and getting to a point where I'd happily pay someone for investigating the communication.
Would anyone be willing to figure it out?
 

izivkov

Member
Dec 28, 2019
25
11
I've been working on a very similar app but for a slightly different Casio model. I'm not very familiar with the BLE and getting to a point where I'd happily pay someone for investigating the communication.
Would anyone be willing to figure it out?
Sure, I can take a look. You can contact me by email directly at [email protected], or better still you can post to the github repository:

 

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    For those who are interested in how to communicate with the Casio G-Shock 5600 BT watches, here is the latest github I created:


    And you can get the android app on PlayStore:


    Enjoy
    2
    Hello all, this is my first post here! :)

    In this article I will explain my method of hacking the Square G-Shocks that make use of a Bluetooth module (I have a GW-B5600, but it should theoretically work on the GMW-B5000 too) with the goal to create our own Android app that will allow to get info and set the watch via BLE (Bluetooth Low Energy) commands/requests.

    The tools I am using are: (sorry no link I am too new)
    • nRF Connect for Android by Nordic Semiconductor from the Play Store
    • Wireshark desktop (Windows/Mac) from the official website
    • The official "G-Shock Connected" Android app from the Play Store
    • And adb that can be found in the Android platform tools (by default in "C:\Users\usrname\AppData\Local\Android\Sdk\platform-tools")

    Your phone does not need to be rooted but needs the Developer options enabled.

    1 Discover the services offered by the G-Shock

    I am using nRF Connect installed from the Play Store to scan for BT devices.
    Long-press the (C) (bottom left) button on the B5600 to enable BT on the watch.
    Hit Scan in nRF and search for "CASIO GW-B5600" and tap it to show the following details:
    Code:
    Device BT Name: 	CASIO GW-B5600
    Device BT Address:	[B]EB:1C:FF:90:C2:34[/B]
    Offered services:	0x1801 				Generic Attribute
    			0x1800 			Generic Access
    				0x2A00 (R)	Device Name
    				0x2A01 (R)	Appearance
    			0x1804 			Tx Power
    				0x2A07 (R) 	Tx Power Level
    			0x26EB00 0D		Unknown Service
    				(UUID 0x2902 for all)
    				[B]0x26EB002C (W*)	Custom Service #2C[/B]
    				[B]0x26EB002D (NW)	Custom Service #2D[/B]
    				0x26EB0023 (NW)	Custom Service #23
    				0x26EB0024 (NW*)Custom Service #24
    (R) is read only (W) write (W*) write no response (N) notify.
    The important information has been set in bold: the BT address that we will use to analyze the packets, and the 2 services that I called #2C and #2D that are used by the official G-Shock app to get and set info from/to the watch.

    2 Enable Bluetooth traces on the phone

    After that, open the phone Developer options > Enable Bluetooth HCI snoop log.
    Or use the USB debugging mode, plug the phone to the computer and type the following command in a prompt:
    Code:
    adb shell settings put secure bluetooth_hci_log 1

    To know where the BT traces will be stored, type the following command:
    Code:
    adb shell cat /etc/bluetooth/bt_stack.conf
    and look at the line starting with 'BtSnoopFileName=' to locate the BT log files.

    3 Capture BT activity and save the logs on computer

    Install and run the "G-Shock Connected" app on your phone from the Play Store.
    Do manipulations between the watch and the app, take note of the time you make them.
    Then plug the phone and type:
    Code:
    adb pull /data/log/bt/btsnoop_hci*.log
    Note: the place and name of the logs are for my Huawei Mate 10. You will need to adapt the path with the one you got at step 2.

    4 Analyze the BT traces in Wireshark

    Open Wireshark and drag and drop one of the "btsnoop_hci*.log" files pulled to the computer onto the program.
    Add a filter on the G-Shock BT address we got from nRF Connect at step 1:
    Code:
    bluetooth.addr==EB:1C:FF:90:C2:34
    And hit enter to see the BLE activity on the watch.

    Now the fun (or the boring part, it depends ;)) begins... Understanding the BT requests/answers (get info) and BT commands (set info)!
    2
    In Wireshark, the important information for each BT frame are contained in the fields
    • Bluetooth Attribute Protocol > Handle > UUID
    • and in Bluetooth Attribute Protocol > Value

    The very first -easiest- command I was able to identify is the one to Get and Set the Home City and the 5 World Time (WT) Cities.
    When you analyse the BT packets, you can see the name of the cities written in all letters in the Value field:
    Code:
    0000                                       1f 01 48 4f               ..HO
    0010   4e 47 20 4b 4f 4e 47 00 00 00 00 00 00 00 00 00   NG KONG.........

    We can observe that to GET the Home City, we send a Write command with the value 1F00 to the service 0x26EB002C (aka Custom Service #2C). In return, we will receive a notification through the service 0x26EB002D (aka Custom Service #2D) containing an echo of the Command ID (1F00) followed by the name of the Home City in upper-case (e.g. "PARIS").

    To SET the Home City is just as easy: we send a Write request to the service 0x26EB002D (Custom Service #2D) with the value 1F00 followed by the name of the new Home City on 18 Bytes (e.g. "PARIS"), tailed with 0x00.

    GETting and SETting the 5 World Time Cities is very similar: you only need to use the Command IDs 1F01 to 1F05...
    2
    The next command I reverse engineered is the one to set the date and time.

    I started to search for the hexadecimal value "07 E4" in the traces (2020 in decimal = the current year). The search returned zero result... If finding a WORD (value encoded on 2 bytes) in big endian* fails, you gotta try searching it in little endian* ;) so I did another search for "E4 07" this time, and bingo! It appears in a SET command starting with the ID 0x09.

    * search Wikipedia for "Endianness"

    The full structure of the binary value is:
    Code:
      ([B]09[/B])  YYYY MM DD HH mm ss ?? ?? 01	?? ?? is the milliseconds in big endian(?)
    
    	[B]Mon.13-JAN (15:54:10) traces[/B]
      ([B]09[/B]) E4 07 01 0D 0F 36 0B 01 F2 01	   --> 2020-01-13 15:54:11 (,498?)
    
    	[B]Wed.15-JAN (15:29:27) traces[/B]
      ([B]09[/B]) E4 07 01 0F 0F 1D 1E 03 44 01	   --> 2020-01-15 15:29:30 (,836?)

    You can notice there's a difference in the trace timestamp and the time sent, respectively 1 second and 3 seconds. That is quite normal: I disabled the time synchronization in the watch settings, so the watch time can deviate from the atomic time by a few seconds (the user guide states a tolerance of +/- 15s per month average).
    2
    That would be very cool! I'll be happy to do some beta testing if you end up getting to that stage. :) Good luck!