Hacking the Casio G-Shock GW-B5600 BLE

Useful topic?

  • Yes

    Votes: 3 75.0%
  • No

    Votes: 1 25.0%

  • Total voters
    4
Search This thread

szilamer

Senior Member
May 26, 2005
96
1
Hi Guys,

Do you know that G-Shock Connected app's database can be downloaded / modified ?

It's a matter of "patching" the app and it's a simple realm database. Unfortunately the solution can't be released because it's against the license agreement.

I have a Casio GPR-B1000 watch and reading the database looks like easier ( I have a ready solution ) than catching the BT packets. But I really appreciate your efforts and work you did here. I've also checked your source code.

Direct Message (meaning a private chat).
Do you also have a GPR-B1000 ?
 

drunkenHiker

Member
May 16, 2022
15
0
Do you also have a GPR-B1000 ?
Yes.
I've just replied to your thread on watchuseek but let's continue here.
Yes, I have this watch and use it regularly.
I've seen how you neatly extracted the data. Very impressive. I'll go and try the same.
The problem is that when you move the app to the SD those files disappear and when you click your route you don't see any data.

You see, the problem is the app. It's awful. The ESRI maps suck.
On top of that, they share or your routes and locations with amazon servers. It's not private at all.
I've started building my own app with Open Street Maps but izivkov and I have been struggling with figuring out the BLE communication.
 
Last edited:

izivkov

Member
Dec 28, 2019
25
11
Hi Guys,

Do you know that G-Shock Connected app's database can be downloaded / modified ?

It's a matter of "patching" the app and it's a simple realm database. Unfortunately the solution can't be released because it's against the license agreement.

I have a Casio GPR-B1000 watch and reading the database looks like easier ( I have a ready solution ) than catching the BT packets. But I really appreciate your efforts and work you did here. I've also checked your source code.
Thanks for the info. No, I did know that, but my goal was not just modify the official app. I wanted to make another app winch will integrate with Google services better. That is why make the Gshock Smart Sync app.
 
  • Like
Reactions: drunkenHiker

drunkenHiker

Member
May 16, 2022
15
0
Thanks for the info. No, I did know that, but my goal was not just modify the official app. I wanted to make another app winch will integrate with Google services better. That is why make the Gshock Smart Sync app.
Yeah. For me the privacy issues are also a thing.
I couldn't get past the communication issues. The last thing I noticed was that it yields all actions to the console log. But I didn't abandon the project.
I'm seriously considering paying a company specialised in BLE to figure it out the details.
 

szilamer

Senior Member
May 26, 2005
96
1
Yes.
I've just replied to your thread on watchuseek but let's continue here.
Yes, I have this watch and use it regularly.
I've seen how you neatly extracted the data. Very impressive. I'll go and try the same.
The problem is that when you move the app to the SD those files disappear and when you click your route you don't see any data.

You see, the problem is the app. It's awful. The ESRI maps suck.
On top of that, they share or your routes and locations with amazon servers. It's not private at all.
I've started building my own app with Open Street Maps but izivkov and I have been struggling with figuring out the BLE communication.
Just don't move the app to the SD card.
Here are the main steps of extracting the realm DB from the GShock app:

1. Use apktools for decompiling the apk

2. Modify the manifest xml to make it backupable

3. Modify some smali files to return true (1) from packageMatchesToken methods. This is needed to bypass the cert check during app's startup

4. Use apktools for rebuilding apk

5. Use apktool gui to easily realign and resign the apk

6. Reinstall the generated apk on your phone

7. Use apk backup command to create a backup of GShock app. Id = com.casio.gshock...

8. Use abp.jar to create a .tar file from the previously created backup file.

That's all. You can also use the above method for making the Gshock app debuggable. That's needed to make adb push work, so it will be possible to push a modified db to your phone.

Yeah. For me the privacy issues are also a thing.
I couldn't get past the communication issues. The last thing I noticed was that it yields all actions to the console log. But I didn't abandon the project.
I'm seriously considering paying a company specialised in BLE to figure it out the details.
I don't think a company is needed here, that's too expensive :) The communication is complicated but it looks understandable based on the decompiled apk, logcat logs.

Thanks for the info. No, I did know that, but my goal was not just modify the official app. I wanted to make another app winch will integrate with Google services better. That is why make the Gshock Smart Sync app.
Yes, I think this is the best solution if you wouldn't like to find yourself being sued by Casio. It's against the license agreement to release a modified GShock Connected
 

drunkenHiker

Member
May 16, 2022
15
0
Just don't move the app to the SD card.
Here are the main steps of extracting the realm DB from the GShock app:

1. Use apktools for decompiling the apk

2. Modify the manifest xml to make it backupable

3. Modify some smali files to return true (1) from packageMatchesToken methods. This is needed to bypass the cert check during app's startup

4. Use apktools for rebuilding apk

5. Use apktool gui to easily realign and resign the apk

6. Reinstall the generated apk on your phone

7. Use apk backup command to create a backup of GShock app. Id = com.casio.gshock...

8. Use abp.jar to create a .tar file from the previously created backup file.

That's all. You can also use the above method for making the Gshock app debuggable. That's needed to make adb push work, so it will be possible to push a modified db to your phone.


I don't think a company is needed here, that's too expensive :) The communication is complicated but it looks understandable based on the decompiled apk, logcat logs.


Yes, I think this is the best solution if you wouldn't like to find yourself being sued by Casio. It's against the license agreement to release a modified GShock Connected
Do you think you could do that? In principle we need to find out which method the app uses to decode coordinates from the watch. I have a couple of guesses. DM me if you'd like to try that.
 

szilamer

Senior Member
May 26, 2005
96
1
Yeah. For me the privacy issues are also a thing.
I couldn't get past the communication issues. The last thing I noticed was that it yields all actions to the console log. But I didn't abandon the project.
I'm seriously considering paying a company specialised in BLE to figure it out the details.
Do you think you could do that? In principle we need to find out which method the app uses to decode coordinates from the watch. I have a couple of guesses. DM me if you'd like to try th
Do you have a basic skeleton app for downloading the "raw" byte data / array from the watch ?
 

izivkov

Member
Dec 28, 2019
25
11
Yeah. For me the privacy issues are also a thing.
I couldn't get past the communication issues. The last thing I noticed was that it yields all actions to the console log. But I didn't abandon the project.
I'm seriously considering paying a company specialised in BLE to figure it out the details.
So, according to this thread, it is possible to decompile the official APK and then use it to debug exactly how geo-point are sent and received. This could be a good starting point got your watch. I will look into it as well.
 

szilamer

Senior Member
May 26, 2005
96
1
So, according to this thread, it is possible to decompile the official APK and then use it to debug exactly how geo-point are sent and received. This could be a good starting point got your watch. I will look into it as well.
Exactly. I can send you some classes , method names to make it quicker for you, If you are interested.
I'm also interested in trying out the read operation from a custom built app, but first of all I would need a simplest skeleton app to establish the basic connection. I'm a .net / c# backend developer, so I will need a few steps to set up the dev environment for this purpose.
 
  • Like
Reactions: drunkenHiker

drunkenHiker

Member
May 16, 2022
15
0
Do you have a basic skeleton app for downloading the "raw" byte data / array from the watch ?
No, I've made a skeleton app for routes.
I was also able to identify certain methods that might be responsible for working with that data from the watch but with @izivkov we were unable to definitely point to exact methods - the reason being, we struggled with compiling/decompiling process.

Can we move to some sort of a chat?
 

izivkov

Member
Dec 28, 2019
25
11
I basically know how the B5600's work, but @drunkenHiker would like to get his Ranger1000 (I think) to send and receive geo points. I do not have this watch, so I cannot test it. But if we can decompile the original app, we can look at the data exactly and figure it out.
 
  • Like
Reactions: drunkenHiker

izivkov

Member
Dec 28, 2019
25
11
Exactly. I can send you some classes , method names to make it quicker for you, If you are interested.
I'm also interested in trying out the read operation from a custom built app, but first of all I would need a simplest skeleton app to establish the basic connection. I'm a .net / c# backend developer, so I will need a few steps to set up the dev environment for this purpose.
So, after decompiling the APK, are you able the load the code into Android Studio and rebuild it? I had problem rebuilding the app from the decompiled sources. Could you please let me know how you decompiled the app, and how you were able to compile from the sources. Thanks.
 

szilamer

Senior Member
May 26, 2005
96
1
So, after decompiling the APK, are you able the load the code into Android Studio and rebuild it? I had problem rebuilding the app from the decompiled sources. Could you please let me know how you decompiled the app, and how you were able to compile from the sources. Thanks.
No, to be honest I don't know Android Studio at all. I'm a C# backend developer.
Just use apktools / apktools gui , it also has a build option. Smali modification is needed if you'd like to try changing anything. Jadx can be also useful for viewing.
 

szilamer

Senior Member
May 26, 2005
96
1
No, I've made a skeleton app for routes.
I was also able to identify certain methods that might be responsible for working with that data from the watch but with @izivkov we were unable to definitely point to exact methods - the reason being, we struggled with compiling/decompiling process.

Can we move to some sort of a chat?
Check the attached video.
I've managed to extract the data., so It's working !
Lots of things are still missing, and I'm a backend dev, so the GUI is also ugly. :)

This app currently shows one of my old routes in the summer. The coordinates were downloaded from my watch.
 

Attachments

  • vid_rangeman_sync.mp4
    524.9 KB · Views: 0

szilamer

Senior Member
May 26, 2005
96
1
This is a Xamarin based C# application running on my phone.
It was difficult to find a really working BLE nuget package for Xamarin / C#.
 

szilamer

Senior Member
May 26, 2005
96
1
The BT connection is built up once you click the Casio GPR-B1000.
I think this will also need some improvement.
 

drunkenHiker

Member
May 16, 2022
15
0
Check the attached video.
I've managed to extract the data., so It's working !
Lots of things are still missing, and I'm a backend dev, so the GUI is also ugly. :)

This app currently shows one of my old routes in the summer. The coordinates were downloaded from my watch.
Whoah! Man!
This is incredible. Can you guide us a bit on the mechanics of this app?

I have the gui with route planning, GPX export/import etc.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    For those who are interested in how to communicate with the Casio G-Shock 5600 BT watches, here is the latest github I created:


    And you can get the android app on PlayStore:


    Enjoy
    2
    Hello all, this is my first post here! :)

    In this article I will explain my method of hacking the Square G-Shocks that make use of a Bluetooth module (I have a GW-B5600, but it should theoretically work on the GMW-B5000 too) with the goal to create our own Android app that will allow to get info and set the watch via BLE (Bluetooth Low Energy) commands/requests.

    The tools I am using are: (sorry no link I am too new)
    • nRF Connect for Android by Nordic Semiconductor from the Play Store
    • Wireshark desktop (Windows/Mac) from the official website
    • The official "G-Shock Connected" Android app from the Play Store
    • And adb that can be found in the Android platform tools (by default in "C:\Users\usrname\AppData\Local\Android\Sdk\platform-tools")

    Your phone does not need to be rooted but needs the Developer options enabled.

    1 Discover the services offered by the G-Shock

    I am using nRF Connect installed from the Play Store to scan for BT devices.
    Long-press the (C) (bottom left) button on the B5600 to enable BT on the watch.
    Hit Scan in nRF and search for "CASIO GW-B5600" and tap it to show the following details:
    Code:
    Device BT Name: 	CASIO GW-B5600
    Device BT Address:	[B]EB:1C:FF:90:C2:34[/B]
    Offered services:	0x1801 				Generic Attribute
    			0x1800 			Generic Access
    				0x2A00 (R)	Device Name
    				0x2A01 (R)	Appearance
    			0x1804 			Tx Power
    				0x2A07 (R) 	Tx Power Level
    			0x26EB00 0D		Unknown Service
    				(UUID 0x2902 for all)
    				[B]0x26EB002C (W*)	Custom Service #2C[/B]
    				[B]0x26EB002D (NW)	Custom Service #2D[/B]
    				0x26EB0023 (NW)	Custom Service #23
    				0x26EB0024 (NW*)Custom Service #24
    (R) is read only (W) write (W*) write no response (N) notify.
    The important information has been set in bold: the BT address that we will use to analyze the packets, and the 2 services that I called #2C and #2D that are used by the official G-Shock app to get and set info from/to the watch.

    2 Enable Bluetooth traces on the phone

    After that, open the phone Developer options > Enable Bluetooth HCI snoop log.
    Or use the USB debugging mode, plug the phone to the computer and type the following command in a prompt:
    Code:
    adb shell settings put secure bluetooth_hci_log 1

    To know where the BT traces will be stored, type the following command:
    Code:
    adb shell cat /etc/bluetooth/bt_stack.conf
    and look at the line starting with 'BtSnoopFileName=' to locate the BT log files.

    3 Capture BT activity and save the logs on computer

    Install and run the "G-Shock Connected" app on your phone from the Play Store.
    Do manipulations between the watch and the app, take note of the time you make them.
    Then plug the phone and type:
    Code:
    adb pull /data/log/bt/btsnoop_hci*.log
    Note: the place and name of the logs are for my Huawei Mate 10. You will need to adapt the path with the one you got at step 2.

    4 Analyze the BT traces in Wireshark

    Open Wireshark and drag and drop one of the "btsnoop_hci*.log" files pulled to the computer onto the program.
    Add a filter on the G-Shock BT address we got from nRF Connect at step 1:
    Code:
    bluetooth.addr==EB:1C:FF:90:C2:34
    And hit enter to see the BLE activity on the watch.

    Now the fun (or the boring part, it depends ;)) begins... Understanding the BT requests/answers (get info) and BT commands (set info)!
    2
    In Wireshark, the important information for each BT frame are contained in the fields
    • Bluetooth Attribute Protocol > Handle > UUID
    • and in Bluetooth Attribute Protocol > Value

    The very first -easiest- command I was able to identify is the one to Get and Set the Home City and the 5 World Time (WT) Cities.
    When you analyse the BT packets, you can see the name of the cities written in all letters in the Value field:
    Code:
    0000                                       1f 01 48 4f               ..HO
    0010   4e 47 20 4b 4f 4e 47 00 00 00 00 00 00 00 00 00   NG KONG.........

    We can observe that to GET the Home City, we send a Write command with the value 1F00 to the service 0x26EB002C (aka Custom Service #2C). In return, we will receive a notification through the service 0x26EB002D (aka Custom Service #2D) containing an echo of the Command ID (1F00) followed by the name of the Home City in upper-case (e.g. "PARIS").

    To SET the Home City is just as easy: we send a Write request to the service 0x26EB002D (Custom Service #2D) with the value 1F00 followed by the name of the new Home City on 18 Bytes (e.g. "PARIS"), tailed with 0x00.

    GETting and SETting the 5 World Time Cities is very similar: you only need to use the Command IDs 1F01 to 1F05...
    2
    The next command I reverse engineered is the one to set the date and time.

    I started to search for the hexadecimal value "07 E4" in the traces (2020 in decimal = the current year). The search returned zero result... If finding a WORD (value encoded on 2 bytes) in big endian* fails, you gotta try searching it in little endian* ;) so I did another search for "E4 07" this time, and bingo! It appears in a SET command starting with the ID 0x09.

    * search Wikipedia for "Endianness"

    The full structure of the binary value is:
    Code:
      ([B]09[/B])  YYYY MM DD HH mm ss ?? ?? 01	?? ?? is the milliseconds in big endian(?)
    
    	[B]Mon.13-JAN (15:54:10) traces[/B]
      ([B]09[/B]) E4 07 01 0D 0F 36 0B 01 F2 01	   --> 2020-01-13 15:54:11 (,498?)
    
    	[B]Wed.15-JAN (15:29:27) traces[/B]
      ([B]09[/B]) E4 07 01 0F 0F 1D 1E 03 44 01	   --> 2020-01-15 15:29:30 (,836?)

    You can notice there's a difference in the trace timestamp and the time sent, respectively 1 second and 3 seconds. That is quite normal: I disabled the time synchronization in the watch settings, so the watch time can deviate from the atomic time by a few seconds (the user guide states a tolerance of +/- 15s per month average).
    2
    That would be very cool! I'll be happy to do some beta testing if you end up getting to that stage. :) Good luck!