How to set up?

[idealist1508]

Hi,

How to install and setup sniffer, phone and watch to sniff a communication?

[nemanjan00]

I never went further than what is noted in README.md

If you want to sniff traffic in format like in README.md, you need rooted phone

• Install frida on computer
• Download complementary version of frida-server
• Move frida-server to /data/local/tmp
• Run chmod +x /data/local/tmp/frida-server
• Run frida-server on phone
• On computer, install node.js and yarn
• Run yarn and yarn watch inside of project
• Run frida -U -l dist/bluetooth-sniffer.js -f com.garmin.android.apps.connectmobile --no-paus

[idealist1508]

Thanks! It helped me a lot.

But i am stuck now on a next problem.

I replaced h.a.j.a.a in line https://github.com/OpenFenix/bluetooth-sniffer/blob/2c132e92b7c584b3298ade06c87729e1dee4b5d3/src/bluetooth/BluetoothGattCallback/index.js#L3 with a class name that overrides the onCharacteristicChanged function.

After that if i run frida I get an error

Waiting for USB device to appear...
Spawned `com.garmin.android.apps.connectmobile`. Resuming main thread!
[BV4900::com.garmin.android.apps.connectmobile]-> Process terminated
[BV4900::com.garmin.android.apps.connectmobile]->

Do you have some tips on how to find out what's going wrong?

[idealist1508]

I got this running. I had to comment out the following lines https://github.com/OpenFenix/bluetooth-sniffer/blob/2c132e92b7c584b3298ade06c87729e1dee4b5d3/src/bluetooth/BluetoothDevice/index.js#L21-L35

[nref]

@idealist1508 thanks for the post. How did you find the class that overrides onCharacteristicChanged ?

Using apktool, I decompiled the Garmin Connect APK and using ripgrep found smali_classes3\com\garmin\devices\ble\a.smali

PS C:\temp\com.garmin.android.apps.connectmobile_4.52-6611> rg onCharacteristicChanged
...
smali_classes3\com\garmin\device\ble\a.smali
1198:.method public onCharacteristicChanged(Landroid/bluetooth/BluetoothGatt;Landroid/bluetooth/BluetoothGattCharacteristic;)V

which contains

.class public final Lcom/garmin/device/ble/a;
.super Landroid/bluetooth/BluetoothGattCallback;

but var BluetoothGattCallback = Java.use("com.device.garmin.ble.a"); does not work:

     ____
    / _  |   Frida 16.0.19 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Pixel 7 Pro (id=<redacted>)
Spawned `com.garmin.android.apps.connectmobile`. Resuming main thread!
[Pixel 7 Pro::com.garmin.android.apps.connectmobile ]-> Error: java.lang.ClassNotFoundException: Didn't find class "com.device.garmin.ble.a" ...

[nemanjan00]

Did you do it inside Java.perform(callback), to let Java load classes?

On November 27, 2023 10:51:42 PM GMT+01:00, Doug Slater @.***> wrote:

@idealist1508 thanks for the post. How did you find the class that overrides onCharacteristicChanged ?

I decompiled the Garmin Connect APK and found smali_classes3\com\garmin\devices\ble\a.smali which contains

.class public final Lcom/garmin/device/ble/a;
.super Landroid/bluetooth/BluetoothGattCallback;

but var BluetoothGattCallback = Java.use("com.device.garmin.ble.a"); does not work:

    ____
   / _  |   Frida 16.0.19 - A world-class dynamic instrumentation toolkit
  | (_| |
   > _  |   Commands:
  /_/ |_|       help      -> Displays the help system
  . . . .       object?   -> Display information about 'object'
  . . . .       exit/quit -> Exit
  . . . .
  . . . .   More info at https://frida.re/docs/home/
  . . . .
  . . . .   Connected to Pixel 7 Pro (id=<redacted>)
Spawned `com.garmin.android.apps.connectmobile`. Resuming main thread!
[Pixel 7 Pro::com.garmin.android.apps.connectmobile ]-> Error: java.lang.ClassNotFoundException: Didn't find class "com.device.garmin.ble.a" ...

-- Reply to this email directly or view it on GitHub: https://github.com/OpenFenix/bluetooth-sniffer/issues/2#issuecomment-1828677754 You are receiving this because you commented.

Message ID: @.***> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[nref]

Thanks for the reply. I merely changed this line:

const BluetoothGattCallback = Java.use("h.a.j.a.a");

to

const BluetoothGattCallback = Java.use("com.device.garmin.ble.a");

in src/bluetooth/BluetoothGattCallback/index.js.

Do I have the right idea - to look for the class in the smali code? Or should I be writing my own extension class?

[idealist1508]

@slater1 I have used jadx (gui). I searched for 'extends BluetoothGattCallback'. For example, in Garmin Connect 4.22.1-5044, I found the following class:

The name 'd.j.e.a.h' is the value You are looking for.

[nref]

Thanks @idealist1508 (just changed my username, I am @slater1). I tried jadx and see now what you are referring to.

I noticed that you have better naming than I do, for example instead of ICommunicator I have InterfaceC19505k and instead of logger I have f45292a. To be sure I tried it on the same version (4.22.1 from apkmirror). Did you rename those yourself, or is there a another deobfuscation step?

[nref]

For those who come along after: Make sure the apk you decompile with jadx or apktool/smali is the exact same version as what is running on the phone. This tripped me up. The name of obfuscated classes changes with each version. For example, while the class name is d.j.e.a.h above for version 4.22.1, on version 4.73 it is o31.c.

[idealist1508]

@nref Yes, this is because after automatic deobfuscation, I manually renamed many things.

I just checked in my 'Playground with Garmin Swim 2 Watch.' Maybe it interests you. It's C# under Linux. The program can connect to the watch, fake OAuth tokens, update AGPS data, and download tracks from the watch.

[nref]

@idealist1508 I cloned your repo. This is amazing work, thank you for sharing it. I easily made it work with my Forerunner 945 LTE, just modified the in/out GATT UUIDs and the mac address.

From a couple of days before you told me about jadx (thank you), I had already begun work to make a C# library to get FIT files from my watch via BLE. I had got as far as recovering the .proto files and COBs algorithm. You've saved me the trouble of doing the rest.

I would be curious what your ambitions are with this project, and if you have a license in mind? I would be interested in contributing. I came very close today to finishing a port of the BLE layer to Windows. I'm also intending to do the same for Android and iOS. I'd like to support more Garmin devices too.

[idealist1508]

@nref  Sorry that I didn't respond right away. Running short on time :( .  I was analyzing tracks locally on my computer using https://github.com/alex-hhh/ActivityLog2. Initially, I was copying files via USB. Unfortunately, the USB quickly broke, and after the warranty replacement of the watch, I came up with the idea to synchronize tracks via BLE. That's how this code was born. After the code achieved its purpose, I didn't find time to tidy it up for a worthy publication. Regarding the license, it should be open source, but which one... Probably GPL2. My latest idea was to update AGPS with Android. So, I started working on https://github.com/idealist1508/Gadgetbridge/tree/garmin-wip, but got stuck on the Companion App. https://codeberg.org/Freeyourgadget/Gadgetbridge/issues/3167

Am Montag, 4. Dezember 2023 um 04:46:38 MEZ hat Doug Slater ***@***.***> Folgendes geschrieben:  

@idealist1508 I cloned your repo. This is amazing work, thank you for sharing it. I easily made it work with my Forerunner 945 LTE, just modified the in/out GATT UUIDs and the mac address.

From a couple of days before you told me about jadx (thank you), I had already begun work to make a C# library to get FIT files from my watch via BLE. I had got as far as recovering the .proto files and COBs algorithm. You've saved me the trouble of doing the rest.

I would be curious what your ambitions are with this project, and if you have a license in mind? I would be interested in contributing. I came very close today to finishing a port of the BLE layer to Windows. I'm also intending to do the same for Android and iOS. I'd like to support more Garmin devices too.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[nref]

I am happy to report I got GarminWatchPlayground working in Windows.

If I could at all influence your decision to go with a permissive license like MIT then you would have my full support.