Time
2023-09-02
dejbug.github.ioTime
I am on the clock. Waiting for my friend to call so we can go help her get some furniture from A to B. (B being a much nicer place than A.)Waiting
I don't really know what to do with myself while waiting. I can't really concentrate on anything. I can't say I like the feeling. I feel pointless.But anyway
There's things I need to do but I keep getting distracted left and right (by things I'd rather do). I decided to just let the distractions happen. Let the chaos in. If I were a bit more organized it wouldn't be so disorientating. Or if my working memory were made of firmer stuff. I probably should be taking notes, like these here "blogs". Aids to memory. Weblogs -> Memlogs.Home sweet home
I've done my duty and now I'm back and showered and relaxed. The time is mine again. There will be no distractions. I had been looking forward to a little heavy lifting though, but all of it was so unrewardingly easy that I unironically regretted getting off the couch for this. Walking there was more exhausting to me, psychologically, than the manual labor awaiting me there. It's all those other folks out there... with their cars and the commotion and the noise. I can't believe that people are able to thrive out there. It's a witch's brew of mind-altering ingredients. I'm on an adrenaline high while I'm out among those lunatics so I feel completely numb when I get home. I don't like leaving home. There's really nothing out there for me anymore. It's come to a point where I no longer want to hang out with my friends. It's interesting how different it is in the chess club. It's a completely different atmosphere. I don't even notice the time passing. And I have new friends there too. I've grown old, that's all.UNIX Philosophy
I need to remind myself to write smaller, dedicated tools in such a way that they can be easily combined. wikiTOC Issue
There's a problem with mytoc.js on FFfA
Firefox for AndroidclientHeight is smaller than when scrolling down while reading. This is wreaking havoc with my positioning. Maybe using svh versus lvh units is a simple fix? The entire re-positioning feels rather fiddly.
Bluetooth on the radar
I had got myself a fitness watch. Cue for laughter. A cheap one just to have a closer look at one. It's been lying around for a while now and it's time to put it to some use. Hopefully an unintended one. But first things first.Oh Cathy, oh Alison, oh Phillipa, oh Sue
[bluetooth]# scan le Discovery started [CHG] Controller 00:1A:7D:DA:71:12 Discovering: yes [NEW] Device E9:1C:7D:82:E5:6B ID131Color HR
ID131Color HR. The images that come up in the search are a perfect match. So it's official name is "LETSCOM ID115PHR Health & Fitness Tracker" letsfit.com
Apparently it was meant to be paired with the VeryFitPro app play:G (instead of the Letsfit app play:G?) but I might be able to use Gadgetbridge
f-droid.org
or do some damage with something like DaFlasher (a DaFit-based devices flasher)
play:G
hackaday
if indeed it is DaFit based.
And boy-o have these guys here gone the extra mile in testing the thing. techgearlab.com They seem to be saying that it's basically an illuminated plastic bracelet.
It has a couple sensors though and can vibrate. I'd be happy to turn it into a pomodoro timer. wiki
Smart Watch
What I really need is a cheap programmable watch like PineTime wiki.pine64.org hackaday or Open-SmartWatch open-smartwatch:gh hackaday or even BangleJS banglejs.com (which seems very inefficient, with JS and always-on LCD, and how they don't even mention average battery life for normal use). I need the thing so I can make my parents' home a little smarter. For example, I would like to make sure my parents dont' forget to turn off the stove before leaving the house. I want my father, who is becoming sedentary due to his bad knees, to have a dashboard-like overview of every critical device that is running in their house. Stuff like that.Bluetooth
I'm looking for bluetooth libs for Python to do some tests. bluepy gh looks abandoned but bleak gh seems like the way to go. bleak:rtd Found a nice-looking tutorial people.csail:mit for Bluez gh. bluetooth.comPartial upgrades are unsupported
My repositories have changed so I'm upgrading the system. There was an issue withruby-rexml. I had to pacman -Qo wiki:arch to check whether the files belonged to a tracked package before deleting them. I don't use Ruby and only had it installed to try out Jekyll because GH Pages was harping on about it. Obviously I don't think much of it. I like my bespoke solution better. The Ruby crowd is an interesting bunch but I don't see the point in learning any of it now.
Alias
I have an alias set so I don't forget to do a "full" upgrade:pacman -Syu. wiki:arch I've just had to add an alias for pacman -Sy archlinux-keyring as well.
Todo
DaFit Fitness Tracker firmware update protocol: gist:gh. This guy! gist:gh. But always beware of bricking your device: gist:gh.Stuff
Espruino is a JavaScript interpreter for microcontrollers. It can fit into devices with as little as 128kB Flash and 8kB RAM. gh espruino.com espruino.com webbluetoothcg:gh Espruino oscilloscope example gh The ground-breaking bluetooth beacon - An Open Source JavaScript microcontroller you can program and debug wirelessly puck-js.com The World's first Open Source Hackable Smart Watch banglejs.com shop.espruino.com nRF52832 Bluetooth Low Energy Module adafruit.com nordicsemi.com The fastest, most flexible 2D WebGL renderer pixijs.com pixijs.downloadIntermission
I've tried Gadgetbridge f-droid.org but it wants too many permissions and, worst of all, keeps nagging. codeberg.org F-Droid wouldn't update Feeder nor Forkyz so I duckducked forum.f-droid.org and they referred to dontkillmyapp.com. Still no luck. Might have to update F-Droid itself.TIL
Something called the Open Collective opencollective.com. Also it bothers me that Location has to be on for Bluetooth LE scanning to work. android:Sx issuetracker:G issuetracker:GYou can definitely track a device by inferring what Bluetooth devices or Wi-Fi networks are nearby or are currently connected. So even if an app just scans for Bluetooth devices and doesn't utilize GPS or other tracking technologies, it still needed the same Location permission nonetheless." — xda-developers.comKudos to these guys:
The goal of this project is the creation of an easy to use, mostly plug-and-play, JTAG/SWD debugger for embedded microcontrollers. The project focuses on professional embedded software developers that prefer retaining control over their build systems and testing environments instead of relying on highly abstracted vendor tools that give the impression of simplicity at the cost of transparency. — black-magic.orgNeed to check this out. Contagio Malware Dump contagiodump.blogspot.com. I've stumbled upon roboflow just now. In particular this chess object detection blog entry blog.roboflow.com. Good to know somebody is doing work on this. It's something every chess player who can't afford a DGT board has been thinking of. We still don't have a good tool to flatten chess videos into PGNs. Last time I've pondered doing this was when I was trying to get motivated enough to delve into ML, but players in my club don't really like to have cameras around. A less paranoia-inducing solution would be to use what they have in some cheap (non-mechanical) keyboards (a three-foil-sandwich where the two outer ones get pressed together and a current flows digikey.com hackaday ) and to spread that across the board. Also a custom board can be built with IR LEDs and LDRs to detect the presence and absence of pieces. Still, something like this, requiring just a simple camera, definitely would be nice to have. I've booked up on OpenCV years ago but still no motivation. That whole AI craze is swooshing by me. It's ironic, but that's another story. kaggle.com huggingface.co blog.roboflow.com public.roboflow.com public.roboflow.com Grown and made in Hokkaido, Japan tozandoshop.com. Sad themoviedb.org. Fun web-japan.org. Yummy justonecookbook.com bosh.tv bowlsarethenewplates.com.
Apparently
Apparently apkmirror.com is managed by the androidpolice.com guys: android:Sx. But it only mirrors free apps and so it didn't have the two apks I wanted to look into.First Steps First
I've got the Nordic Semiconductor's Bluetooth sniffer nordicsemi.com. It's a really nice application that I would love to replicate from the console. (I will probably be able to do it quickly withpython-bleak but the lib feels more sluggish compared to my C experiments.) This great little sniffer though is showing me all the endpoints of my watch.
Generic Address
UUID: 0x1800
PRIMARY SERVICE
Device Name
UUID: 0x2A00
Properties: READ, WRITE
Appearance
UUID: 0x2A01
Properties: READ
Peripheral Preferred Connection Par...
UUID: 0x2A04
Properties: READ
Generic Attribute
UUID: 0x1801
PRIMARY SERVICE
Service Changed
UUID: 0x2A05
Properties: INDICATE
Descriptors:
Client Characteristic Configuration
UUID: 0x2902
Unknown Service
UUID: 0x0AF0
PRIMARY SERVICE
Unknown Characteristic
UUID: 0x0AF6
Properties: READ, WRITE
Unknown Characteristic
UUID: 0x0AF7
Properties: NOTIFY, READ
Descriptors:
Client Characteristic Configuration
UUID: 0x2902
Unknown Characteristic
UUID: 0x0AF2
Properties: NOTIFY, READ
Descriptors:
Client Characteristic Configuration
UUID: 0x2902
Unknown Characteristic
UUID: 0x0AF1
Properties: READ, WRITE
Further Steps
I've downloaded VeryFitPro and Letsfit App from apkcombo.com which is shady, but I didn't want to install them from the google store and thenadb pull the apks. evilsocket.net
> adb shell pm list packages > adb shell pm path com.android.systemui > adb pull /system/priv-app/SystemUIGoogle/SystemUIGoogle.apk
Tentative Steps
I haven't dabbled with the Android NDK yet and it's time I did. developer.android.com It might be the proper way in for me because both the (slow, slooooow) Android Studio and the Books I have take too high a vantage point with lots of hand-holding and dubious didactic scaffolding. A really good book on anything would start with the absolute minimum app gh. A proper Hello World. But to do this people actually need to know what they are doing, instead these books are written quickly, strictly for the money, and by high-functioning imbeciles. Which reminds me:Alienists have frequently come to ... accept idiot as applied to the lowest state, imbecile to the intermediate, and moron (debile) to the state nearest normality. — iaSorry, this was my frustration talking. Aspire to be a moron among imbeciles. Anyway, to get things going, first I want to write a little command line app to call into from the
adb shell. Which means cross-compiling to aarch64. Which means downloading more stuff.
Layers
There arelib/ folders in both those apk. There are shared native libraries inside which look like they might contain the real logic of key functionality. This would be great because I could completely ignore anything to do with Android.
As an #aside, I'm worrying about radare2 for static analysis because it has debugging functionality, so it could try to execute the binaries. Here it doesn't matter since it's on the wrong architecture but, in general, I don't see anything that would make it run things in a sandbox book.rada.re. I need a good go-to disassembler (though objdump with coloring will do). Sure, radare looks great and could be immensly useful but I really need to be reassured here. If only there were an obvious option. Instead, it seems, you need to take constant care to not type the wrong letter. Worst case I'll have to spin up a VM or run it in a codespace. Just to calm the nerves.
$ r2 /bin/ls # open file in read-only > aaa # analyse the program (r2 -A) > afl # list all functions (try aflt, aflm) > px 32 # print 32 byte hexdump current block > s sym.main # seek to main (using flag name) > f~foo # filter flags matching 'foo' (internal |grep) > iS;is # list sections and symbols (rabin2 -Ss) > pdf; agf # disassembly and ascii-art function graph > oo+;w hello # reopen in read-write and write a string > ?*~... # interactive filter in all command help > q # quit
Strings
I'm looking throughstrings lib/arm64-v8a/libVeryFitMulti.so. Yes, they didn't care to strip their binaries. Already the first few lines seem to be function names related to bluetooth (audio) transfer (the Subband Codec Library). wiki, see them used here gh download old sources here bluez.org. There follows a (C++ mangled) JSON library, an AES crypto library, etc. Then there is a funny typo jni_attack_thread (as complement to jni_detach_thread), and then we find such strings as this Java_com_veryfit_multi_nativeprotocol_Protocol_ReceiveDatafromBle and protocol_set_alarm_start_sync which seem promising. By the looks of all the boilerplate they really haven't gone for minimalism here.
The Evolution of the Arm
I'll have to refresh my RISC reading and comprehension. developer.arm.com At uni they wanted us to buy Nintendos so we could have a nice ARM platform to do our homework on. Instead I began writing an ARM emulator so I didn't have to spend the bucks. Also because I had to learn Java and that was a nice project to learn it for. It worked. Got the highest grade on my MCU exam. Loved the architecture. Barrel shifter and all. And now? Forgot everything. Well almost all, for how could I ever forget the lovely Sophie Wilson? wiki.Strike #3
The problem here is threefold. 1. I have never programmed for Android, so I don't have any pattern recognition there. 2. My ARM days were few and are long past, so I retain no real understanding here. I struggle to remember which is the source and which the target register for many of the operations. I don't know any of the patterns here either. 3. I am just beginning to get interested in Bluetooth. So what follows is conjecture.Thoughts
In the Letsfit App at0x002a0e03 there's a string table. Could be that these strings are sent over BT. That is, maybe the BT functions like a wireless serial interface or something (UART wiki ). Could be they are just used as the keys in the creation of a JSON string with jni_json_get_init.
There's an interesting string being used at 0x0016fdb0: clean cur sync data,statuswhich certainly looks like a command you'd send over a serial interface. This is what I'm hoping, really. That there's a very simple protocol and then a bunch of command strings on top of that. It's part of the
str._PROTOCOL_HEALTH_ string table which begin at 0x002a7afc. Could be this is just for internal debug output. Even so, this is a good starting point to try and trace back where the data's coming from.
I've seen what appears to be a JSON parser, using C++'s regex library. en.cppreference.com Seems they're also using a logging library gh.
Merits further study
protocol_health_exec send_ble_data_resend protocol_write_init protocol_write_set_head protocol_write_set_cmd_key protocol_write_data Java_com_veryfit_multi_nativeprotocol_Protocol_StartSyncConfigInfo jni_notice_app_tx_data sbc_decode vbus_tx_data
Sidenotes
In VeryFitPro they included a zip library winimage.com. And a jpeg-turbo port gh. Also this selection of external services is vaguely interesting, probably because I've never heard of most of those providers before.notice_TikTok notice_Redbus notice_Dailyhunt notice_Hotstar notice_Inshorts notice_Paytm notice_Amazon notice_Flipkart notice_Prime notice_Netflix notice_Gpay notice_Phonpe notice_Swiggy notice_Zomato notice_Make_My_Trip notice_Jio_Tv
Dailyhunt is an Indian content and news aggregator...
Hotstar is an Indian brand of subscription video on-demand...
Inshorts ... we cut the clutter and deliver [news] in 60-word shorts.
Paytm is an Indian ... company that specializes in digital payments...
PhonePe is an Indian digital payments and financial services company...
Swiggy is an Indian online food ordering and delivery platform.
Zomato is an Indian multinational restaurant aggregator and food delivery company.
MakeMyTrip is an Indian online travel company...
Jio TV is an Indian streaming television service...