I've just DMed you here on xda.Sure, I can take a look. You can contact me by email directly at izivkov@gmail.com, or better still you can post to the github repository:
izivkov CasioGShockSmartSync · Discussions
Explore the GitHub Discussions forum for izivkov CasioGShockSmartSync. Discuss code, ask questions & collaborate with the developer community.github.com
Hacking the Casio G-Shock GW-B5600 BLE
- Thread starter mougino
- Start date
Hi Guys,
Do you know that G-Shock Connected app's database can be downloaded / modified ?
It's a matter of "patching" the app and it's a simple realm database. Unfortunately the solution can't be released because it's against the license agreement.
I have a Casio GPR-B1000 watch and reading the database looks like easier ( I have a ready solution ) than catching the BT packets. But I really appreciate your efforts and work you did here. I've also checked your source code.
Do you know that G-Shock Connected app's database can be downloaded / modified ?
It's a matter of "patching" the app and it's a simple realm database. Unfortunately the solution can't be released because it's against the license agreement.
I have a Casio GPR-B1000 watch and reading the database looks like easier ( I have a ready solution ) than catching the BT packets. But I really appreciate your efforts and work you did here. I've also checked your source code.
Do you also have a GPR-B1000 ?
Yes.
I've just replied to your thread on watchuseek but let's continue here.
Yes, I have this watch and use it regularly.
I've seen how you neatly extracted the data. Very impressive. I'll go and try the same.
The problem is that when you move the app to the SD those files disappear and when you click your route you don't see any data.
You see, the problem is the app. It's awful. The ESRI maps suck.
On top of that, they share or your routes and locations with amazon servers. It's not private at all.
I've started building my own app with Open Street Maps but izivkov and I have been struggling with figuring out the BLE communication.
Last edited:
Thanks for the info. No, I did know that, but my goal was not just modify the official app. I wanted to make another app winch will integrate with Google services better. That is why make the Gshock Smart Sync app.
Yeah. For me the privacy issues are also a thing.
I couldn't get past the communication issues. The last thing I noticed was that it yields all actions to the console log. But I didn't abandon the project.
I'm seriously considering paying a company specialised in BLE to figure it out the details.
Just don't move the app to the SD card.
Here are the main steps of extracting the realm DB from the GShock app:
1. Use apktools for decompiling the apk
2. Modify the manifest xml to make it backupable
3. Modify some smali files to return true (1) from packageMatchesToken methods. This is needed to bypass the cert check during app's startup
4. Use apktools for rebuilding apk
5. Use apktool gui to easily realign and resign the apk
6. Reinstall the generated apk on your phone
7. Use apk backup command to create a backup of GShock app. Id = com.casio.gshock...
8. Use abp.jar to create a .tar file from the previously created backup file.
That's all. You can also use the above method for making the Gshock app debuggable. That's needed to make adb push work, so it will be possible to push a modified db to your phone.
I don't think a company is needed here, that's too expensive
The communication is complicated but it looks understandable based on the decompiled apk, logcat logs.Yes, I think this is the best solution if you wouldn't like to find yourself being sued by Casio. It's against the license agreement to release a modified GShock Connected
Do you think you could do that? In principle we need to find out which method the app uses to decode coordinates from the watch. I have a couple of guesses. DM me if you'd like to try that.Just don't move the app to the SD card.
Here are the main steps of extracting the realm DB from the GShock app:
1. Use apktools for decompiling the apk
2. Modify the manifest xml to make it backupable
3. Modify some smali files to return true (1) from packageMatchesToken methods. This is needed to bypass the cert check during app's startup
4. Use apktools for rebuilding apk
5. Use apktool gui to easily realign and resign the apk
6. Reinstall the generated apk on your phone
7. Use apk backup command to create a backup of GShock app. Id = com.casio.gshock...
8. Use abp.jar to create a .tar file from the previously created backup file.
That's all. You can also use the above method for making the Gshock app debuggable. That's needed to make adb push work, so it will be possible to push a modified db to your phone.
I don't think a company is needed here, that's too expensive
Yes, I think this is the best solution if you wouldn't like to find yourself being sued by Casio. It's against the license agreement to release a modified GShock Connected
Do you have a basic skeleton app for downloading the "raw" byte data / array from the watch ?
So, according to this thread, it is possible to decompile the official APK and then use it to debug exactly how geo-point are sent and received. This could be a good starting point got your watch. I will look into it as well.
Exactly. I can send you some classes , method names to make it quicker for you, If you are interested.
I'm also interested in trying out the read operation from a custom built app, but first of all I would need a simplest skeleton app to establish the basic connection. I'm a .net / c# backend developer, so I will need a few steps to set up the dev environment for this purpose.
No, I've made a skeleton app for routes.
I was also able to identify certain methods that might be responsible for working with that data from the watch but with @izivkov we were unable to definitely point to exact methods - the reason being, we struggled with compiling/decompiling process.
Can we move to some sort of a chat?
I basically know how the B5600's work, but @drunkenHiker would like to get his Ranger1000 (I think) to send and receive geo points. I do not have this watch, so I cannot test it. But if we can decompile the original app, we can look at the data exactly and figure it out.
So, after decompiling the APK, are you able the load the code into Android Studio and rebuild it? I had problem rebuilding the app from the decompiled sources. Could you please let me know how you decompiled the app, and how you were able to compile from the sources. Thanks.
No, to be honest I don't know Android Studio at all. I'm a C# backend developer.
Just use apktools / apktools gui , it also has a build option. Smali modification is needed if you'd like to try changing anything. Jadx can be also useful for viewing.
Check the attached video.
I've managed to extract the data., so It's working !
Lots of things are still missing, and I'm a backend dev, so the GUI is also ugly.
This app currently shows one of my old routes in the summer. The coordinates were downloaded from my watch.
Whoah! Man!Check the attached video.
I've managed to extract the data., so It's working !
Lots of things are still missing, and I'm a backend dev, so the GUI is also ugly.
This app currently shows one of my old routes in the summer. The coordinates were downloaded from my watch.
This is incredible. Can you guide us a bit on the mechanics of this app?
I have the gui with route planning, GPX export/import etc.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
5For those who are interested in how to communicate with the Casio G-Shock 5600 BT watches, here is the latest github I created:
And you can get the android app on PlayStore:
G-Shock Smart Sync - Apps on Google Play
Casio G-Shock Connection with Smart Functions.play.google.com
Enjoy3
Sure, I can take a look. You can contact me by email directly at izivkov@gmail.com, or better still you can post to the github repository:
2Hello all, this is my first post here!
In this article I will explain my method of hacking the Square G-Shocks that make use of a Bluetooth module (I have a GW-B5600, but it should theoretically work on the GMW-B5000 too) with the goal to create our own Android app that will allow to get info and set the watch via BLE (Bluetooth Low Energy) commands/requests.
The tools I am using are: (sorry no link I am too new)
- nRF Connect for Android by Nordic Semiconductor from the Play Store
- Wireshark desktop (Windows/Mac) from the official website
- The official "G-Shock Connected" Android app from the Play Store
- And adb that can be found in the Android platform tools (by default in "C:\Users\usrname\AppData\Local\Android\Sdk\platform-tools")
Your phone does not need to be rooted but needs the Developer options enabled.
1 Discover the services offered by the G-Shock
I am using nRF Connect installed from the Play Store to scan for BT devices.
Long-press the (C) (bottom left) button on the B5600 to enable BT on the watch.
Hit Scan in nRF and search for "CASIO GW-B5600" and tap it to show the following details:
(R) is read only (W) write (W*) write no response (N) notify.Code:Device BT Name: CASIO GW-B5600 Device BT Address: [B]EB:1C:FF:90:C2:34[/B] Offered services: 0x1801 Generic Attribute 0x1800 Generic Access 0x2A00 (R) Device Name 0x2A01 (R) Appearance 0x1804 Tx Power 0x2A07 (R) Tx Power Level 0x26EB00 0D Unknown Service (UUID 0x2902 for all) [B]0x26EB002C (W*) Custom Service #2C[/B] [B]0x26EB002D (NW) Custom Service #2D[/B] 0x26EB0023 (NW) Custom Service #23 0x26EB0024 (NW*)Custom Service #24
The important information has been set in bold: the BT address that we will use to analyze the packets, and the 2 services that I called #2C and #2D that are used by the official G-Shock app to get and set info from/to the watch.
2 Enable Bluetooth traces on the phone
After that, open the phone Developer options > Enable Bluetooth HCI snoop log.
Or use the USB debugging mode, plug the phone to the computer and type the following command in a prompt:
Code:adb shell settings put secure bluetooth_hci_log 1
To know where the BT traces will be stored, type the following command:
and look at the line starting with 'BtSnoopFileName=' to locate the BT log files.Code:adb shell cat /etc/bluetooth/bt_stack.conf
3 Capture BT activity and save the logs on computer
Install and run the "G-Shock Connected" app on your phone from the Play Store.
Do manipulations between the watch and the app, take note of the time you make them.
Then plug the phone and type:
Note: the place and name of the logs are for my Huawei Mate 10. You will need to adapt the path with the one you got at step 2.Code:adb pull /data/log/bt/btsnoop_hci*.log
4 Analyze the BT traces in Wireshark
Open Wireshark and drag and drop one of the "btsnoop_hci*.log" files pulled to the computer onto the program.
Add a filter on the G-Shock BT address we got from nRF Connect at step 1:
And hit enter to see the BLE activity on the watch.Code:bluetooth.addr==EB:1C:FF:90:C2:34
Now the fun (or the boring part, it depends) begins... Understanding the BT requests/answers (get info) and BT commands (set info)!2In Wireshark, the important information for each BT frame are contained in the fields
- Bluetooth Attribute Protocol > Handle > UUID
- and in Bluetooth Attribute Protocol > Value
The very first -easiest- command I was able to identify is the one to Get and Set the Home City and the 5 World Time (WT) Cities.
When you analyse the BT packets, you can see the name of the cities written in all letters in the Value field:
Code:0000 1f 01 48 4f ..HO 0010 4e 47 20 4b 4f 4e 47 00 00 00 00 00 00 00 00 00 NG KONG.........
We can observe that to GET the Home City, we send a Write command with the value 1F00 to the service 0x26EB002C (aka Custom Service #2C). In return, we will receive a notification through the service 0x26EB002D (aka Custom Service #2D) containing an echo of the Command ID (1F00) followed by the name of the Home City in upper-case (e.g. "PARIS").
To SET the Home City is just as easy: we send a Write request to the service 0x26EB002D (Custom Service #2D) with the value 1F00 followed by the name of the new Home City on 18 Bytes (e.g. "PARIS"), tailed with 0x00.
GETting and SETting the 5 World Time Cities is very similar: you only need to use the Command IDs 1F01 to 1F05...2The next command I reverse engineered is the one to set the date and time.
I started to search for the hexadecimal value "07 E4" in the traces (2020 in decimal = the current year). The search returned zero result... If finding a WORD (value encoded on 2 bytes) in big endian* fails, you gotta try searching it in little endian* so I did another search for "E4 07" this time, and bingo! It appears in a SET command starting with the ID 0x09.
* search Wikipedia for "Endianness"
The full structure of the binary value is:
Code:([B]09[/B]) YYYY MM DD HH mm ss ?? ?? 01 ?? ?? is the milliseconds in big endian(?) [B]Mon.13-JAN (15:54:10) traces[/B] ([B]09[/B]) E4 07 01 0D 0F 36 0B 01 F2 01 --> 2020-01-13 15:54:11 (,498?) [B]Wed.15-JAN (15:29:27) traces[/B] ([B]09[/B]) E4 07 01 0F 0F 1D 1E 03 44 01 --> 2020-01-15 15:29:30 (,836?)
You can notice there's a difference in the trace timestamp and the time sent, respectively 1 second and 3 seconds. That is quite normal: I disabled the time synchronization in the watch settings, so the watch time can deviate from the atomic time by a few seconds (the user guide states a tolerance of +/- 15s per month average).
