Hacking might be a strong word, but I have your attention how!
It seems like it’s becoming a tradition, but I worked on this tiny project more than a year ago. I ended up buying two Casio G-Shock watches with bluetooth and step tracker. At that time, I planned to switch between those two watches, Casio GBA-900 and GG-B100 Mudmaster and wanted to have continuous log of my daily steps. To my surprise, each watch used different iOS app and only one of those was able to share data to Apple Health. So no continuous log for me, just two separate logs in each app. On top of that, you have to register Casio account to be able to use BLE functions of said watches, which to me is completely nuts. And both apps are shi… not a nice experience.
So here comes my idea. If Casio made iOS app can connect to the watch, control it, change settings and fetch data from it, why wouldn’t I be able to do the same? I had literally no idea how BLE works, but I like a little challenge. I felt like it shouldn’t be too hard to fetch steps from each watch and create this desired continous steps log myself. Oh how wrong I was! :)
I no longer wear these watches regularly. Not long after I purchased the Mudmaster, I bought my first Swiss made mechanical watch and quickly fell down the rabbit hole called watch collecting. But that’s a scary late night bonfire story that I might tell sometime in the future :) But maybe sharing my findings and prototypes could be of some use for a fellow enthusiast wanting to control their Casio BLE watches without having to share personal information with Casio.
Where do I even start?
I started to research where do I even start. Heck, I started by looking what BLE even is and how it works. Don’t ask me to go into details here. First, I can’t remember, it was a long time ago. Second, I never really understood it in such a detail I’d be comfortable sharing my knowledge. There’s lot of information one search away though!
Great article I took a lot of information and inspiration from is on Matt Mastracci’s blog Grack - he wanted to control his BLE coffee machine. He describes how he reverse engineered protocol of his coffee machine in depth. Luckily enough, he used Rust which was something I wanted to use too. I recently finished small game written in Rust and wanted to continue to explore the language more.
He chose approach of traffic sniffing in combination with disassembling Android app of his coffee machine. You can record BLE communication and look through raw packets to see what’s going on. Or more precisely, guess what’s going on and slowly reverse engineer protocol your device uses. Having disassembled code of the original app might also help, but not so much in my case. That being said, reverse engineering a protocol is easier said than done.
I also found this JavaScript library RCVD claiming it allows you to interact with a set of most recent Casio watches via Bluetooth 4.0LE communication protocol. Which is intriguing, however not entirely true. It was a BIG help in my endeavour, but it can only sync time.
So I got myself a packet sniffer. Luckily enough, Apple provides some useful and free developer tools. Especially useful for my purpose was *Packet Logger. You see, the problem is you not only have to sniff complete bluetooth communication, but that communication happens between your phone (iPhone in my case) and the watch. And Packet Logger can also sniff Bluetooth communication happening on your phone connected to your Mac. And there’s another brilliant article thoroughly describing how to use it. I sniffed a lot of information from that one. So bingo, one step closer?!
First recorded packets
How does the watch even work? I will mostly focus on the Mudmaster model as it was the one I fell in love with at that time. First of all, it connects to the phone 4 times a day to sync time and step count automatically. There’s also a Connect button with multiple functions. Simple press syncs time right away, let’s call it quick sync. Long press fully syncs the watch and switches it into configuration mode. In that mode, you can change various settings using the Casio app. Finally, very long press rings your phone, so you can find it in your other pocket after 5 minutes of vigorous searching.
I can probably leverage both quick sync and full sync. Let’s sniff some packets!
Prvni packety z obou modu
Co v nich je
Nastaveni casu pomoci RCVD
Reverse engineering android appky
Nastaveni budiku
Konecne kroky