Hacking the Casio G-Shock GW-B5600 BLE

Useful topic?

  • Yes

    Votes: 3 75.0%
  • No

    Votes: 1 25.0%

  • Total voters
    4
Search This thread

drunkenHiker

Member
May 16, 2022
15
0
Which programming language are you using ?

Is it possible to connect your code with a Xamarin / .NET based lib ?
I'm using Kotlin in Android Studio.
I'll do some research.

If that doesn't work, we could set up a zoom and gradually translate my code into Xamarin.
Although in Kotlin I have the advantage of using ready libraries for many features. I don't know if they exist in your language. In such a case we would have to write those block anew.
 

izivkov

Member
Dec 28, 2019
25
11
No, to be honest I don't know Android Studio at all. I'm a C# backend developer.
Just use apktools / apktools gui , it also has a build option. Smali modification is needed if you'd like to try changing anything. Jadx can be also useful for viewing.
OK, thanks. I was hoping it would be possible to rebuild the app from decompiled sources, as this would give us great way to put breakpoints and see exactly what they are sending and what these values mean for all watches. But I don't think this is easy to do or practical.
 

szilamer

Senior Member
May 26, 2005
96
1
OK, thanks. I was hoping it would be possible to rebuild the app from decompiled sources, as this would give us great way to put breakpoints and see exactly what they are sending and what these values mean for all watches. But I don't think this is easy to do or practical.
The logcat log is very talkative and you can even enable logging ( if it's disabled ) by using some minor smali changes
 

szilamer

Senior Member
May 26, 2005
96
1
I'm using Kotlin in Android Studio.
I'll do some research.

If that doesn't work, we could set up a zoom and gradually translate my code into Xamarin.
Although in Kotlin I have the advantage of using ready libraries for many features. I don't know if they exist in your language. In such a case we would have to write those block anew.
Ok.
The Xamarin translation of your app sounds painful.

What do you think about creating a background app / service in Xamarin for handling the watch connection ?

Would that be possible ?

And would it make sense in that case to use any IPC technique to communicate between my and your process ?

Do you have experience in this ? As I mentioned I'm not an Android developer so this is a brand new territory for me.
 

drunkenHiker

Member
May 16, 2022
15
0
Ok.
The Xamarin translation of your app sounds painful.

What do you think about creating a background app / service in Xamarin for handling the watch connection ?

Would that be possible ?

And would it make sense in that case to use any IPC technique to communicate between my and your process ?

Do you have experience in this ? As I mentioned I'm not an Android developer so this is a brand new territory for me.
It might be difficult but I'm determined to do it. This way or another. We're gonna do it, brother.
How about you explain it to @izivkov so he can write it in Kotlin?
 

szilamer

Senior Member
May 26, 2005
96
1
Mapsui looks like a very good library / nuget package for using OpenStreetMap in Xamarin
 

szilamer

Senior Member
May 26, 2005
96
1
I've sent you a private message regarding comm features.
Yes, sorry for the delayed response, I was on a family holiday this weekend.
I will answer your message later today.

The next thing regarding this project should be find out what's sent to the watch when the transfer route is selected from Casio's app. So curently only the other direction is working: downloading log data ( tracked route ) and / or point memo.
 

drunkenHiker

Member
May 16, 2022
15
0
Yes, sorry for the delayed response, I was on a family holiday this weekend.
I will answer your message later today.

The next thing regarding this project should be find out what's sent to the watch when the transfer route is selected from Casio's app. So curently only the other direction is working: downloading log data ( tracked route ) and / or point memo.
Good point. Do you think the WireShark logs would be helpful?
 

drunkenHiker

Member
May 16, 2022
15
0
I don't think so. Logcat log is better for this watch.
Yeah, it seems so. That's what comes to my head when I look at your achievements.
Counting on the WireShark was a dead end. It was confusing.

I'm gonna be doing the logcat research in the next couple of days focusing on the upload communication.

Let's move to the private conversation, all three of us. This thread becomes hard to look through with all those details. I'm setting up a separate convo for us three.
 

szilamer

Senior Member
May 26, 2005
96
1
Yeah, it seems so. That's what comes to my head when I look at your achievements.
Counting on the WireShark was a dead end. It was confusing.

I'm gonna be doing the logcat research in the next couple of days focusing on the upload communication.

Let's move to the private conversation, all three of us. This thread becomes hard to look through with all those details. I'm setting up a separate convo for us three.

OK, private conversation is a good idea.
Just a small update: I think I understand the upload data structure now. Two separate byte arrays are needed:

Header : This one has the transit point count, node count.

Data: This has the GPS coordinates. (8+8 bytes), it's a little bit tricky because some interim points are inserted automatically between the way points.

Header and Data are sent to the common BLE characteristic by using ~ operator and some CRC calculation. There is also a complex workflow under the hood to handle the errors / data chunks.
 

drunkenHiker

Member
May 16, 2022
15
0
OK, private conversation is a good idea.
Just a small update: I think I understand the upload data structure now. Two separate byte arrays are needed:

Header : This one has the transit point count, node count.

Data: This has the GPS coordinates. (8+8 bytes), it's a little bit tricky because some interim points are inserted automatically between the way points.

Header and Data are sent to the common BLE characteristic by using ~ operator and some CRC calculation. There is also a complex workflow under the hood to handle the errors / data chunks.
I've found the method responsible for this in the app. I'll see its mechanics and let you know in the chat.
 

szilamer

Senior Member
May 26, 2005
96
1
I only had limited time to work on this project but it seems I have a working version for only two points : start, end/goal.
 

Attachments

  • Screen_Recording_20221019_205858.mp4
    6.3 MB · Views: 0

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    For those who are interested in how to communicate with the Casio G-Shock 5600 BT watches, here is the latest github I created:


    And you can get the android app on PlayStore:


    Enjoy
    2
    Hello all, this is my first post here! :)

    In this article I will explain my method of hacking the Square G-Shocks that make use of a Bluetooth module (I have a GW-B5600, but it should theoretically work on the GMW-B5000 too) with the goal to create our own Android app that will allow to get info and set the watch via BLE (Bluetooth Low Energy) commands/requests.

    The tools I am using are: (sorry no link I am too new)
    • nRF Connect for Android by Nordic Semiconductor from the Play Store
    • Wireshark desktop (Windows/Mac) from the official website
    • The official "G-Shock Connected" Android app from the Play Store
    • And adb that can be found in the Android platform tools (by default in "C:\Users\usrname\AppData\Local\Android\Sdk\platform-tools")

    Your phone does not need to be rooted but needs the Developer options enabled.

    1 Discover the services offered by the G-Shock

    I am using nRF Connect installed from the Play Store to scan for BT devices.
    Long-press the (C) (bottom left) button on the B5600 to enable BT on the watch.
    Hit Scan in nRF and search for "CASIO GW-B5600" and tap it to show the following details:
    Code:
    Device BT Name: 	CASIO GW-B5600
    Device BT Address:	[B]EB:1C:FF:90:C2:34[/B]
    Offered services:	0x1801 				Generic Attribute
    			0x1800 			Generic Access
    				0x2A00 (R)	Device Name
    				0x2A01 (R)	Appearance
    			0x1804 			Tx Power
    				0x2A07 (R) 	Tx Power Level
    			0x26EB00 0D		Unknown Service
    				(UUID 0x2902 for all)
    				[B]0x26EB002C (W*)	Custom Service #2C[/B]
    				[B]0x26EB002D (NW)	Custom Service #2D[/B]
    				0x26EB0023 (NW)	Custom Service #23
    				0x26EB0024 (NW*)Custom Service #24
    (R) is read only (W) write (W*) write no response (N) notify.
    The important information has been set in bold: the BT address that we will use to analyze the packets, and the 2 services that I called #2C and #2D that are used by the official G-Shock app to get and set info from/to the watch.

    2 Enable Bluetooth traces on the phone

    After that, open the phone Developer options > Enable Bluetooth HCI snoop log.
    Or use the USB debugging mode, plug the phone to the computer and type the following command in a prompt:
    Code:
    adb shell settings put secure bluetooth_hci_log 1

    To know where the BT traces will be stored, type the following command:
    Code:
    adb shell cat /etc/bluetooth/bt_stack.conf
    and look at the line starting with 'BtSnoopFileName=' to locate the BT log files.

    3 Capture BT activity and save the logs on computer

    Install and run the "G-Shock Connected" app on your phone from the Play Store.
    Do manipulations between the watch and the app, take note of the time you make them.
    Then plug the phone and type:
    Code:
    adb pull /data/log/bt/btsnoop_hci*.log
    Note: the place and name of the logs are for my Huawei Mate 10. You will need to adapt the path with the one you got at step 2.

    4 Analyze the BT traces in Wireshark

    Open Wireshark and drag and drop one of the "btsnoop_hci*.log" files pulled to the computer onto the program.
    Add a filter on the G-Shock BT address we got from nRF Connect at step 1:
    Code:
    bluetooth.addr==EB:1C:FF:90:C2:34
    And hit enter to see the BLE activity on the watch.

    Now the fun (or the boring part, it depends ;)) begins... Understanding the BT requests/answers (get info) and BT commands (set info)!
    2
    In Wireshark, the important information for each BT frame are contained in the fields
    • Bluetooth Attribute Protocol > Handle > UUID
    • and in Bluetooth Attribute Protocol > Value

    The very first -easiest- command I was able to identify is the one to Get and Set the Home City and the 5 World Time (WT) Cities.
    When you analyse the BT packets, you can see the name of the cities written in all letters in the Value field:
    Code:
    0000                                       1f 01 48 4f               ..HO
    0010   4e 47 20 4b 4f 4e 47 00 00 00 00 00 00 00 00 00   NG KONG.........

    We can observe that to GET the Home City, we send a Write command with the value 1F00 to the service 0x26EB002C (aka Custom Service #2C). In return, we will receive a notification through the service 0x26EB002D (aka Custom Service #2D) containing an echo of the Command ID (1F00) followed by the name of the Home City in upper-case (e.g. "PARIS").

    To SET the Home City is just as easy: we send a Write request to the service 0x26EB002D (Custom Service #2D) with the value 1F00 followed by the name of the new Home City on 18 Bytes (e.g. "PARIS"), tailed with 0x00.

    GETting and SETting the 5 World Time Cities is very similar: you only need to use the Command IDs 1F01 to 1F05...
    2
    The next command I reverse engineered is the one to set the date and time.

    I started to search for the hexadecimal value "07 E4" in the traces (2020 in decimal = the current year). The search returned zero result... If finding a WORD (value encoded on 2 bytes) in big endian* fails, you gotta try searching it in little endian* ;) so I did another search for "E4 07" this time, and bingo! It appears in a SET command starting with the ID 0x09.

    * search Wikipedia for "Endianness"

    The full structure of the binary value is:
    Code:
      ([B]09[/B])  YYYY MM DD HH mm ss ?? ?? 01	?? ?? is the milliseconds in big endian(?)
    
    	[B]Mon.13-JAN (15:54:10) traces[/B]
      ([B]09[/B]) E4 07 01 0D 0F 36 0B 01 F2 01	   --> 2020-01-13 15:54:11 (,498?)
    
    	[B]Wed.15-JAN (15:29:27) traces[/B]
      ([B]09[/B]) E4 07 01 0F 0F 1D 1E 03 44 01	   --> 2020-01-15 15:29:30 (,836?)

    You can notice there's a difference in the trace timestamp and the time sent, respectively 1 second and 3 seconds. That is quite normal: I disabled the time synchronization in the watch settings, so the watch time can deviate from the atomic time by a few seconds (the user guide states a tolerance of +/- 15s per month average).
    2
    That would be very cool! I'll be happy to do some beta testing if you end up getting to that stage. :) Good luck!