-
Notifications
You must be signed in to change notification settings - Fork 6
Home
This document describes the CHEMION Bluetooth LED Glasses from a hacker's perspective, mostly focusing on Bluetooth packets for interoperability purposes. All information here is as a result of experimentation and reverse engineering.
The glasses have 9 rows of 24 LEDs.
The processor used on the glasses is likely a Nordic nRF51 series SoC which contains a 32-bit ARM Cortex-M0 core. This was identified by the fact that the app supports updating the firmware via Bluetooth, and contains Nordic's DFU library.
The APK file for the app contains four sets of firmware for the device, Intel HEX format:
- WaGL_C2_0.1.13_20150403.hex
- WaGL_nRF_C2_1.0.0_20150406.hex
- WaGL_nRF_C2_1.0.1_20150904.hex
- WaGL_nRF_C2_1.0.1_20150915.hex
These can be converted to a binary format via a tool such as hex2bin and then analysed with IDA. When loading the binary file into IDA, I set the ROM base and load address to 0x14000 and the processor to ARM (Little-Endian). I also set the base architecture to ARMv6-M and the instruction type to Thumb-2, to match with Cortex-M0.
This results in a sensible analysis with the interrupt vector table at the start and initial EIP set to ROM:140C0.
ROM:00014000 DCD 0x20003FD8
ROM:00014004 DCD 0x141DD
ROM:00014008 DCD 0x141EF
ROM:0001400C DCD 0x141F1
ROM:00014010 DCD 0
ROM:00014014 DCD 0
ROM:00014018 DCD 0
ROM:0001401C DCD 0
ROM:00014020 DCD 0
ROM:00014024 DCD 0
ROM:00014028 DCD 0
ROM:0001402C DCD 0x141F3
ROM:00014030 DCD 0
ROM:00014034 DCD 0
ROM:00014038 DCD 0x141F5
ROM:0001403C DCD 0x141F7
ROM:00014040 DCD 0x141F9
ROM:00014044 DCD 0x141F9
ROM:00014048 DCD 0x199C9
ROM:0001404C DCD 0x141F9
ROM:00014050 DCD 0x141F9
ROM:00014054 DCD 0
ROM:00014058 DCD 0x193B1
ROM:0001405C DCD 0x15057
ROM:00014060 DCD 0x141F9
ROM:00014064 DCD 0x141F9
ROM:00014068 DCD 0x141F9
ROM:0001406C DCD 0x141F9
ROM:00014070 DCD 0x141F9
ROM:00014074 DCD 0x141F9
ROM:00014078 DCD 0x141F9
ROM:0001407C DCD 0x141F9
ROM:00014080 DCD 0x141F9
ROM:00014084 DCD 0x18B1D
ROM:00014088 DCD 0x141F9
ROM:0001408C DCD 0x141F9
ROM:00014090 DCD 0x18B3F
ROM:00014094 DCD 0x141F9
ROM:00014098 DCD 0x192AD
ROM:0001409C DCD 0x141F9
ROM:000140A0 DCD 0x141F9
ROM:000140A4 DCD 0x141F9
ROM:000140A8 DCD 0
ROM:000140AC DCD 0
ROM:000140B0 DCD 0
ROM:000140B4 DCD 0
ROM:000140B8 DCD 0
ROM:000140BC DCD 0
ROM:000140C0 ; ---------------------------------------------------------------------------
ROM:000140C0 CODE16
ROM:000140C0
ROM:000140C0 loc_140C0 ; CODE XREF: ROM:000141ECj
ROM:000140C0 ; DATA XREF: ROM:000141EAo ...
ROM:000140C0 BL EntryPoint
ROM:000140C4 ; ---------------------------------------------------------------------------
ROM:000140C4 CODE32
ROM:000140C4 BL loc_14146
ROM:000140C8 ; ---------------------------------------------------------------------------
ROM:000140C8 CODE16
ROM:000140C8
ROM:000140C8 EntryPoint ; CODE XREF: ROM:loc_140C0j
ROM:000140C8 ADR R0, loc_140FC
ROM:000140CA LDMIA R0!, {R4,R5}
ROM:000140CC SUBS R0, #8
ROM:000140CE ADDS R4, R4, R0
ROM:000140D0 ADDS R5, R5, R0
ROM:000140D2 MOV R10, R4
ROM:000140D4 SUBS R7, R4, #1
ROM:000140D6 MOV R11, R5
ROM:000140D8 MOV R4, R10
ROM:000140DA MOV R5, R11
ROM:000140DC CMP R4, R5
ROM:000140DE BNE loc_140E4
ROM:000140E0 BL loc_14146
ROM:000140E4 ; ---------------------------------------------------------------------------
The code specifies that the LED state array length is 216 elements (9 × 24), and that the frame size (for Bluetooth packets) is 54 bytes. By calculating (9 × 24) ÷ (54 × 8) = 2 we can guess that the frame format is 2 bits per pixel. At the moment I am unsure which bits are in use, and what the different states mean. This will be explored further at a later date.
The following command types have been found:
-
REQUEST(b, 0x01) -
REPLY(c, 0x02) -
STREAM(d, 0x03) -
NOTIFY(e, 0x04) -
ERROR(f, 0x05) -
IDENTIFY(g, 0x06)
The letters shown are used as enumeration identifiers in the Java bytecode. The numbers are the literal values (bytes).
These values are thought to be used with various commands above, or may be replies from various commands/events.
-
STATUS(0x01) -
POWER_OFF(0x02) -
BATTERY_LEVEL(0x03) -
FRAME_DATA_TRANSMISSION_END(0x04) -
FRAME_DATA_TRANSMISSION(0x05) -
GET_DEVICE_IDENTIFIER(0x06) -
FIRMWARE_VERSION(0x07) -
HEARTBEAT(0x08) -
SET_DEVICE_IDENTIFIER(0x09) -
FRAMES_DATA_TRANSMISSION_START(0x0A) -
FRAMES_DATA_TRANSMISSION_END(0x0B) -
FRAMES_DATA_TRANSMISSION(0x0C) -
FRAMES_DATA_RECEIVING_FROM_SLOT_START(0x0D) -
PLAY_FRAMESDATA_ON_SLOT(0x0E) -
DELETE_SLOT_DATA(0x0F) -
FREE_SLOT_SPACE(0x10) -
START_DFU(0x11) -
UNKNOWN_MODULE_ID(0x12)
The glasses have a number of "device slots" to which data can be saved. Data is in the format of an array of frames, each frame describing the LED state.