about Disney Magicband bluetooth codes

[ilker-aktuna]

Hi,

I'm sorry; I could not find any other way to contact you. So I'm trying my chance to reach via this channel. I read on the page below , about your findings on Mgicband+ ble codes: https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes#The_cc_Codes

I am trying to make a fun application for my family to make use of the bands at home. I will try your codes, but I'm not sure which service and characteristic I have to send the commands.

I see there are 5 different services and a few characteristic under each service as below. Could you tell me which one to use ? I just want to make the band leds do some effects.

service:00001801-0000-1000-8000-00805f9b34fb characteristic:00002a05-0000-1000-8000-00805f9b34fb characteristic:00002b2a-0000-1000-8000-00805f9b34fb characteristic:00002b29-0000-1000-8000-00805f9b34fb service:00001800-0000-1000-8000-00805f9b34fb characteristic:00002a00-0000-1000-8000-00805f9b34fb characteristic:00002a01-0000-1000-8000-00805f9b34fb service:1d14d6ee-fd63-4fa1-bfa4-8f47b42119f0 characteristic:f7bf3564-fb6d-4e53-88a4-5e37e0326063 characteristic:984227f3-34fc-4045-a5d0-2c581f81a153 service:0000fe03-0000-1000-8000-00805f9b34fb characteristic:f04eb177-3005-43a7-ac61-a390ddf83076 characteristic:2beea05b-1879-4bb4-8a2f-72641f82420b characteristic:74f996c9-7d6c-4d58-9232-0427ab61c53c characteristic:b32e83c0-fece-47c1-9015-53b7e7f0d2fe service:0000fd98-0000-1000-8000-00805f9b34fb characteristic:bd75b722-3dda-bef1-454d-7119c8ff26a2 characteristic:0b4d1c14-b070-8938-9a0b-d5f8188488cd

If you don't want to have this conversation under Github issues, you can contact me directly. Thanks

[jjdb210]

Greetings! Glad you found me!

So I can partially help you out here.. I haven't yet gotten around to man-in-the-middling the BLE for the services, but I hope to get around to it soon. I was really hoping the Alexa integration would have come out by now, because the limited stuff the phone does with the bands doesn't have a lot of information.

That said, the codes you were looking at are broadcast codes used by Disney for the night shows. They behave like a normal bluetooth beacon, except they are somewhat malformed (longer than they should be by most bluetooth specs). So the upside is, you can control the bands as a group, but the downside is, you can't control the bands individually or access any of the sensors.

An example of a broadcast message using the codes you were looking at would be as follows (in this case, the command line):

hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff 83 01 e9 0c 00 0f 0f 5d 46 5b f0 05 32 37 48 95 cf 8a ad

8301 is the marker for disney, and needs to be there. Everything after the 8301 is the codes you are seeing on the wiki.

I have most of the codes I've deciphered up there, but not all of them. I'll see if I can get some time to update them with the rest of the ones I know from my last round of experiments... My next trip to disney is a few months away which is typically when i jump back into this, but if i can deep dive the handshake/services in the band, I"ll let you know what I find. If you learn anything along the way as well, I'd love to hear it!

Justin Gehring @.***

On Sat, Jul 27, 2024 at 5:12 PM ilker Aktuna @.***> wrote:

Hi,

I'm sorry; I could not find any other way to contact you. So I'm trying my chance to reach via this channel. I read on the page below , about your findings on Mgicband+ ble codes: https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes#The_cc_Codes

I am trying to make a fun application for my family to make use of the bands at home. I will try your codes, but I'm not sure which service and characteristic I have to send the commands.

I see there are 5 different services and a few characteristic under each service as below. Could you tell me which one to use ? I just want to make the band leds do some effects.

service:00001801-0000-1000-8000-00805f9b34fb characteristic:00002a05-0000-1000-8000-00805f9b34fb characteristic:00002b2a-0000-1000-8000-00805f9b34fb characteristic:00002b29-0000-1000-8000-00805f9b34fb service:00001800-0000-1000-8000-00805f9b34fb characteristic:00002a00-0000-1000-8000-00805f9b34fb characteristic:00002a01-0000-1000-8000-00805f9b34fb service:1d14d6ee-fd63-4fa1-bfa4-8f47b42119f0 characteristic:f7bf3564-fb6d-4e53-88a4-5e37e0326063 characteristic:984227f3-34fc-4045-a5d0-2c581f81a153 service:0000fe03-0000-1000-8000-00805f9b34fb characteristic:f04eb177-3005-43a7-ac61-a390ddf83076 characteristic:2beea05b-1879-4bb4-8a2f-72641f82420b characteristic:74f996c9-7d6c-4d58-9232-0427ab61c53c characteristic:b32e83c0-fece-47c1-9015-53b7e7f0d2fe service:0000fd98-0000-1000-8000-00805f9b34fb characteristic:bd75b722-3dda-bef1-454d-7119c8ff26a2 characteristic:0b4d1c14-b070-8938-9a0b-d5f8188488cd

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPBGDYBMLSVX6AGFAVDZOQLMNAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQZTGNRUGE4DANA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[ilker-aktuna]

Hi,

Thanks for your quick response. How can we contact directly ? (Using this issue thread under an unrelated github repository is not the best method I believe)

I have a bluetooth sniffer , so I am now trying to sniff between my phone (Disney app) and the magicband. Unfortunately I could not decrypt the packets. If you have experience on this, maybe you can help me with that. Please see here, my question: https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk

About broadcast messages; I don't have any experience. And I really don't know the usage of hcitool So if you can describe me what these parameters are (which one is the address , service, characteristic etc.) , maybe I can try to replicate them on Arduino , or Java.

hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff *83 01* e9 0c 00 0f 0f 5d
46 5b f0 05 32 37 48 95 cf 8a ad

If Arduino is able to do this, at least I can use broadcast until I discover the codes for unicast (direct) commands.

And lastly, what do you mean by " I was really hoping the Alexa integration would have come out by now" ? Is there an expected Alexa integration for Magicband+ ?

[ilker-aktuna]

I've found the method for BLE advertising on esp32

But I need a device name. What should it be ? Also, do you mean advertising by "broadcast" message or something else ?

  NimBLEDevice::init("Disney");

  NimBLEAdvertising *pAdvertising = NimBLEDevice::getAdvertising(); // create advertising instance
  NimBLEAdvertisementData advertisementData;   
  advertisementData.setManufacturerData(advDataString);         // Set the advertisement data
  pAdvertising->setAdvertisementData(advertisementData);
  pAdvertising->start(); // start advertising

[jjdb210]

Better way to communicate would be to directly email @.***

As far as decyrpting/figuring out what is going on - You might want to take a look at: https://github.com/DigitalSecurity/btlejuice

As far as Alexa - There was supposed to be a triva game that integrated with the bands that was going to be integrated with Alexa's "Hey Disney" feature. They released Hey Disney a little over a year ago now, and it still has no magicband+ support as far as I'm aware. It's funny, because the MagicBand+ boxes still contain the Amazon Alexa logo on the side of them, despite thie feature still not being released. The only thing that I have at home to Mitm with is my phone, and I'm not 100% certain that's using the BLE features at this point... I haven't jumped down that road, but hope to do that soon.

I have code for both a transmitter and a receiver. I just uploaded the transmitter code to Github: https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino

The code has a bunch of stuff involving buttons for a wand I built, and was originally built for a Xiao ESP32c3. I'm not sure how cross compatible it is, but hopefully it works for you. That said, there is a debug tool I put into it that allows you to send codes directly over serial... So once, it's loaded into the chip, open the console and paste one of the codes into the serial prompt with your magic band on... For example, if you put in:

8301e100e905006f0ef5b0

it should cause all magicband+ in the area to glow red. A breakdown of the code can be found here: https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen to figure out any additional details while your playing around.. For example, how the timing bits work (I know they exist, I just haven't had time to iterate though and see how they behave), I'd love to get that added to the documentation/wiki.

To your last question: I don't believe that there is anyway to use broadcast messages to hit a single magicband. I have not seen any signs of this either in implementation in the parks, or in any of the data that I've sniffed.. with maybe 1 small exception... There is what I believe to be a tracking ping disney sends out that the magic bands respond to... but this doesn't contain any light up functionality.

Justin Gehring @.***

On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna @.***> wrote:

Hi,

Thanks for your quick response. How can we contact directly ? (Using this issue thread under an unrelated github repository is not the best method I believe)

I have a bluetooth sniffer , so I am now trying to sniff between my phone (Disney app) and the magicband. Unfortunately I could not decrypt the packets. If you have experience on this, maybe you can help me with that. Please see here, my question:

https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk

About broadcast messages; I don't have any experience. And I really don't know the usage of hcitool So if you can describe me what these parameters are (which one is the address , service, characteristic etc.) , maybe I can try to replicate them on Arduino , or Java.

hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff 83 01 e9 0c 00 0f 0f 5d 46 5b f0 05 32 37 48 95 cf 8a ad

If Arduino is able to do this, at least I can use broadcast until I discover the codes for unicast (direct) commands.

And lastly, what do you mean by " I was really hoping the Alexa integration would have come out by now" ? Is there an expected Alexa integration for Magicband+ ?

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2254390927, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4 . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

Thanks. I am trying to get parts of your code to use in my sketch. But I am confused. To call your class, I have to use the following code:

SimpleBLE ble; std::string advertisingdata; advertisingdata = "8301e100e905006f0ef5b0"; len = advertisingdata.length();

//Serial.printf("AD Length IS: %i \n", len);  

for(char i = 0; i < len; i++){
  byte extract;
  char a = advertisingdata[2*i];
  char b = advertisingdata[2*i + 1];
  extract = convertCharToHex(a)<<4 | convertCharToHex(b);
  raw[i] = extract;
}

ble.begin(""); ble.advertise(raw,len);

But I have to add the class to my code. So I also have to include:

class SimpleBLE { public:

    SimpleBLE(void);
    ~SimpleBLE(void);

    /**
     * Start BLE Advertising
     *
     * @param[in] localName  local name to advertise
     *
     * @return true on success
     *
     */
    bool begin(String localName=String());

    /**
     * Advertises data on Manufacturer Data field
     *
     * @param[in] data  String with the message to be transmitted
     *
     * @return true on success
     *
     */
    bool advertise(String data);

    /**
     * Advertises data on Manufacturer Data field
     *
     * @param[in] data  byte array with the message to be transmitted
     *
     * @param[in] size  size of the byte array
     *
     * @return true on success
     *
     */
    bool advertise(byte* data, int size);

    /**
     * Advertises data on Service Data field
     *
     * @param[in] data  String with the message to be transmitted
     *
     * @return true on success
     *
     */
    bool serviceAdvertise(String data);

    /**
     * Advertises data on Service Data field
     *
     * @param[in] data  byte array with the message to be transmitted
     *
     * @param[in] size  size of the byte array
     *
     * @return true on success
     *
     */
    bool serviceAdvertise(byte* data, int size);

    //bool advertise(byte* data_man, int size_man, byte* data_ser, int size_ser);

    //bool advertise(String data_man, String data_ser); 

    /**
     * Stop BLE Advertising
     *
     * @return none
     */
    void end(void);

    private:
        void clearAdvertiseData();

        void fillManufacturerData(byte* data, int size);

        void fillServiceData(byte* data, int size);

private:
    String local_name;
private:

};

include "esp32-hal-log.h"

include "esp_bt.h"

include "esp_gap_ble_api.h"

include "esp_gatts_api.h"

include "esp_bt_defs.h"

include "esp_bt_main.h"

define MAX_MANUFACTURER_DATA_SIZE 20

define MAX_SERVICE_DATA_SIZE 11

esp_ble_adv_data_t adv_data; // data that will be advertised byte dataBuffer[50]; byte dataBuffer2[50];

// Standard parameters static esp_ble_adv_data_t _adv_config = { .set_scan_rsp = false, .include_name = false, .include_txpower = false, /.min_interval = 512, .max_interval = 1024, / .appearance = 0, .manufacturer_len = 0, .p_manufacturer_data = NULL, .service_data_len = 0, .p_service_data = NULL, .service_uuid_len = 0, .p_service_uuid = NULL, .flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT) };

// static esp_ble_adv_params_t _adv_params = { .adv_int_min = 100, .adv_int_max = 100, .adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this parameter here: https://www.esp32.com/viewtopic.php?t=2267 .own_addr_type = BLE_ADDR_TYPE_PUBLIC, .peer_addr = {0x00, }, .peer_addr_type = BLE_ADDR_TYPE_PUBLIC, .channel_map = ADV_CHNL_ALL, .adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY, };

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){ if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){ esp_ble_gap_start_advertising(&_adv_params); } }

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){ if(!btStarted() && !btStart()){ log_e("btStart failed"); return false; } esp_bluedroid_status_t bt_state = esp_bluedroid_get_status(); if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){ if (esp_bluedroid_init()) { log_e("esp_bluedroid_init failed"); return false; } } if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){ if (esp_bluedroid_enable()) { log_e("esp_bluedroid_enable failed"); return false; } } if(esp_ble_gap_set_device_name(name)){ log_e("gap_set_device_name failed"); return false; } if(esp_ble_gap_config_adv_data(adv_data)){ log_e("gap_config_adv_data failed"); return false; } if(esp_ble_gap_register_callback(_on_gap)){ log_e("gap_register_callback failed"); return false; } return true; }

static bool _stop_gap() { if(btStarted()){ esp_bluedroid_disable(); esp_bluedroid_deinit(); btStop(); } return true; }

/*

• BLE Arduino
• */

SimpleBLE::SimpleBLE() { local_name = "esp32"; adv_data = { .set_scan_rsp = false, .include_name = false, .include_txpower = false, .appearance = 0, .manufacturer_len = 0, .p_manufacturer_data = NULL, //manufacturer data is what we will use to broadcast our info .service_data_len = 0, .p_service_data = NULL, .service_uuid_len = 0, .p_service_uuid = NULL, .flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1)) }; }

SimpleBLE::~SimpleBLE(void) { clearAdvertiseData(); _stop_gap(); }

bool SimpleBLE::begin(String localName) { if(localName.length()){ local_name = localName; } return _init_gap(local_name.c_str(), &_adv_config); }

void SimpleBLE::end() { _stop_gap(); }

bool SimpleBLE::advertise(String data) { data.getBytes(dataBuffer, data.length()+1); return advertise(dataBuffer, data.length()); }

bool SimpleBLE::advertise(byte* data, int size) { clearAdvertiseData(); fillManufacturerData(data, size); return _init_gap(local_name.c_str(), &adv_data); }

bool SimpleBLE::serviceAdvertise(String data) { data.getBytes(dataBuffer, data.length()+1); return serviceAdvertise(dataBuffer, data.length()); }

bool SimpleBLE::serviceAdvertise(byte* data, int size) { clearAdvertiseData(); fillServiceData(data, size); return _init_gap(local_name.c_str(), &adv_data); }

void SimpleBLE::clearAdvertiseData() { if(adv_data.p_manufacturer_data != NULL) { free(adv_data.p_manufacturer_data); adv_data.p_manufacturer_data = NULL; adv_data.manufacturer_len = 0; } if(adv_data.p_service_data != NULL) { free(adv_data.p_service_data); adv_data.p_service_data = NULL; adv_data.service_data_len = 0; } }

void SimpleBLE::fillManufacturerData(byte data, int size) { if(size > MAX_MANUFACTURER_DATA_SIZE) size = MAX_MANUFACTURER_DATA_SIZE; adv_data.p_manufacturer_data = (uint8_t ) malloc(size*sizeof(uint8_t)); adv_data.manufacturer_len = size; memcpy(adv_data.p_manufacturer_data, data, size); }

void SimpleBLE::fillServiceData(byte data, int size) { if(size > MAX_SERVICE_DATA_SIZE) size = MAX_SERVICE_DATA_SIZE; adv_data.p_service_data = (uint8_t ) malloc(size*sizeof(uint8_t)); adv_data.service_data_len = size; memcpy(adv_data.p_service_data, data, size); }

When I add these, I get the following errors during compile:

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: variable or field '_on_gap' declared void

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

                 ^~~~~~~~~~~~~~~~~~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: 'esp_gap_ble_cb_event_t' was not declared in this scope

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: note: suggested alternative: 'wifi_prov_cb_event_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

                 ^~~~~~~~~~~~~~~~~~~~~~

                 wifi_prov_cb_event_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: error: 'esp_ble_gap_cb_param_t' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

                                               ^~~~~~~~~~~~~~~~~~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: note: suggested alternative: 'esp_sleep_source_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

                                               ^~~~~~~~~~~~~~~~~~~~~~

                                               esp_sleep_source_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: error: 'param' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

                                                                       ^~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: note: suggested alternative: 'Stream'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

                                                                       ^~~~~

                                                                       Stream

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42: error: 'esp_ble_adv_data_t' has not been declared

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){

                                      ^~~~~~~~~~~~~~~~~~

Multiple libraries were found for "WiFi.h"

Used: C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi

Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi

exit status 1

Compilation error: variable or field '_on_gap' declared void

[jjdb210]

I see github stripped my email out... to communicate via email so we don't have to deal with that part of the problem, you can email justin at jrcorps dot com.

That said, 2 questions 1) Did you try running the code i have as-is first? Just to make sure it works with your transmitter setup? IE: could you send signals from the console? 2) What version of the IDE are you using? I believe this was originally written for 2.2.1 which shouldn't matter a ton, but might be part of it. We might also not be using the same bluetooth libraries.... I believe my includes might be coming from NimBLE-Arduino by H2zero (avaiable in the library manager I believe).

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Mon, Jul 29, 2024 at 2:47 PM ilker Aktuna @.***> wrote:

Thanks.

I am trying to get parts of your code to use in my sketch. But I am confused.

To call your class, I have to use the following code:

SimpleBLE ble;

std::string advertisingdata;

advertisingdata = "8301e100e905006f0ef5b0";

advertisingdata = message;

len = advertisingdata.length();

//Serial.printf("AD Length IS: %i \n", len);

for(char i = 0; i < len; i++){

byte extract;

char a = advertisingdata[2*i];

char b = advertisingdata[2*i + 1];

extract = convertCharToHex(a)<<4 | convertCharToHex(b);

raw[i] = extract;

}

ble.begin("");

ble.advertise(raw,len);

But I have to add the class to my code. So I also have to include:

class SimpleBLE {

public:

SimpleBLE(void);

~SimpleBLE(void);

/**

• Start BLE Advertising

• @param[in] localName local name to advertise

• @return true on success

*/

bool begin(String localName=String());

/**

• Advertises data on Manufacturer Data field

• @param[in] data String with the message to be transmitted

• @return true on success

*/

bool advertise(String data);

/**

• Advertises data on Manufacturer Data field

• @param[in] data byte array with the message to be transmitted

• @param[in] size size of the byte array

• @return true on success

*/

bool advertise(byte* data, int size);

/**

• Advertises data on Service Data field

• @param[in] data String with the message to be transmitted

• @return true on success

*/

bool serviceAdvertise(String data);

/**

• Advertises data on Service Data field

• @param[in] data byte array with the message to be transmitted

• @param[in] size size of the byte array

• @return true on success

*/

bool serviceAdvertise(byte* data, int size);

//bool advertise(byte data_man, int size_man, byte data_ser, int size_ser);

//bool advertise(String data_man, String data_ser);

/**

• Stop BLE Advertising

• @return none

*/

void end(void);

private:

void clearAdvertiseData();

void fillManufacturerData(byte* data, int size);

void fillServiceData(byte* data, int size);

private:

String local_name;

private:

};

include "esp32-hal-log.h"

include "esp_bt.h"

include "esp_gap_ble_api.h"

include "esp_gatts_api.h"

include "esp_bt_defs.h"

include "esp_bt_main.h"

define MAX_MANUFACTURER_DATA_SIZE 20

define MAX_SERVICE_DATA_SIZE 11

esp_ble_adv_data_t adv_data; // data that will be advertised

byte dataBuffer[50];

byte dataBuffer2[50];

// Standard parameters

static esp_ble_adv_data_t _adv_config = {

.set_scan_rsp = false,

.include_name = false,

.include_txpower = false,

/*.min_interval = 512,

.max_interval = 1024, */

.appearance = 0,

.manufacturer_len = 0,

.p_manufacturer_data = NULL,

.service_data_len = 0,

.p_service_data = NULL,

.service_uuid_len = 0,

.p_service_uuid = NULL,

.flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT)

};

//

static esp_ble_adv_params_t _adv_params = {

.adv_int_min = 100,

.adv_int_max = 100,

.adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this parameter here: https://www.esp32.com/viewtopic.php?t=2267

.own_addr_type = BLE_ADDR_TYPE_PUBLIC,

.peer_addr = {0x00, },

.peer_addr_type = BLE_ADDR_TYPE_PUBLIC,

.channel_map = ADV_CHNL_ALL,

.adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY,

};

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){

esp_ble_gap_start_advertising(&_adv_params);

}

}

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){

if(!btStarted() && !btStart()){

log_e("btStart failed");

return false;

}

esp_bluedroid_status_t bt_state = esp_bluedroid_get_status();

if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){

if (esp_bluedroid_init()) {

log_e("esp_bluedroid_init failed");

return false;

}

}

if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){

if (esp_bluedroid_enable()) {

log_e("esp_bluedroid_enable failed");

return false;

}

}

if(esp_ble_gap_set_device_name(name)){

log_e("gap_set_device_name failed");

return false;

}

if(esp_ble_gap_config_adv_data(adv_data)){

log_e("gap_config_adv_data failed");

return false;

}

if(esp_ble_gap_register_callback(_on_gap)){

log_e("gap_register_callback failed");

return false;

}

return true;

}

static bool _stop_gap()

{

if(btStarted()){

esp_bluedroid_disable();

esp_bluedroid_deinit();

btStop();

}

return true;

}

/*

• BLE Arduino

• */

SimpleBLE::SimpleBLE()

{

local_name = "esp32";

adv_data = {

.set_scan_rsp = false,

.include_name = false,

.include_txpower = false,

.appearance = 0,

.manufacturer_len = 0,

.p_manufacturer_data = NULL, //manufacturer data is what we will use to broadcast our info

.service_data_len = 0,

.p_service_data = NULL,

.service_uuid_len = 0,

.p_service_uuid = NULL,

.flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1))

};

}

SimpleBLE::~SimpleBLE(void)

{

clearAdvertiseData();

_stop_gap();

}

bool SimpleBLE::begin(String localName)

{

if(localName.length()){

local_name = localName;

}

return _init_gap(local_name.c_str(), &_adv_config);

}

void SimpleBLE::end()

{

_stop_gap();

}

bool SimpleBLE::advertise(String data) {

data.getBytes(dataBuffer, data.length()+1);

return advertise(dataBuffer, data.length());

}

bool SimpleBLE::advertise(byte* data, int size) {

clearAdvertiseData();

fillManufacturerData(data, size);

return _init_gap(local_name.c_str(), &adv_data);

}

bool SimpleBLE::serviceAdvertise(String data) {

data.getBytes(dataBuffer, data.length()+1);

return serviceAdvertise(dataBuffer, data.length());

}

bool SimpleBLE::serviceAdvertise(byte* data, int size) {

clearAdvertiseData();

fillServiceData(data, size);

return _init_gap(local_name.c_str(), &adv_data);

}

void SimpleBLE::clearAdvertiseData() {

if(adv_data.p_manufacturer_data != NULL) {

free(adv_data.p_manufacturer_data);

adv_data.p_manufacturer_data = NULL;

adv_data.manufacturer_len = 0;

}

if(adv_data.p_service_data != NULL) {

free(adv_data.p_service_data);

adv_data.p_service_data = NULL;

adv_data.service_data_len = 0;

}

}

void SimpleBLE::fillManufacturerData(byte* data, int size) {

if(size > MAX_MANUFACTURER_DATA_SIZE)

size = MAX_MANUFACTURER_DATA_SIZE;

adv_data.p_manufacturer_data = (uint8_t ) malloc(sizesizeof(uint8_t));

adv_data.manufacturer_len = size;

memcpy(adv_data.p_manufacturer_data, data, size);

}

void SimpleBLE::fillServiceData(byte* data, int size) {

if(size > MAX_SERVICE_DATA_SIZE)

size = MAX_SERVICE_DATA_SIZE;

adv_data.p_service_data = (uint8_t ) malloc(sizesizeof(uint8_t));

adv_data.service_data_len = size;

memcpy(adv_data.p_service_data, data, size);

}

When I add these, I get the following errors during compile:

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: variable or field '_on_gap' declared void

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: 'esp_gap_ble_cb_event_t' was not declared in this scope

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: note: suggested alternative: 'wifi_prov_cb_event_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

wifi_prov_cb_event_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: error: 'esp_ble_gap_cb_param_t' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: note: suggested alternative: 'esp_sleep_source_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

esp_sleep_source_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: error: 'param' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: note: suggested alternative: 'Stream'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~

Stream

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42: error: 'esp_ble_adv_data_t' has not been declared

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){

^~~~~~

Multiple libraries were found for "WiFi.h"

Used: C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi

Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi

exit status 1

Compilation error: variable or field '_on_gap' declared void

From: jjdb210 @.> Sent: 28 Temmuz 2024 Pazar 19:20 To: jjdb210/CheesyNipClicker @.> Cc: ilker Aktuna @.>; Author @.> Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth codes (Issue #1)

Better way to communicate would be to directly email @. <mailto:@.>

As far as decyrpting/figuring out what is going on - You might want to take a look at: https://github.com/DigitalSecurity/btlejuice

As far as Alexa - There was supposed to be a triva game that integrated with the bands that was going to be integrated with Alexa's "Hey Disney" feature. They released Hey Disney a little over a year ago now, and it still has no magicband+ support as far as I'm aware. It's funny, because the MagicBand+ boxes still contain the Amazon Alexa logo on the side of them, despite thie feature still not being released. The only thing that I have at home to Mitm with is my phone, and I'm not 100% certain that's using the BLE features at this point... I haven't jumped down that road, but hope to do that soon.

I have code for both a transmitter and a receiver. I just uploaded the transmitter code to Github:

https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino

The code has a bunch of stuff involving buttons for a wand I built, and was originally built for a Xiao ESP32c3. I'm not sure how cross compatible it is, but hopefully it works for you. That said, there is a debug tool I put into it that allows you to send codes directly over serial... So once, it's loaded into the chip, open the console and paste one of the codes into the serial prompt with your magic band on... For example, if you put in:

8301e100e905006f0ef5b0

it should cause all magicband+ in the area to glow red. A breakdown of the code can be found here: https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen to figure out any additional details while your playing around.. For example, how the timing bits work (I know they exist, I just haven't had time to iterate though and see how they behave), I'd love to get that added to the documentation/wiki.

To your last question: I don't believe that there is anyway to use broadcast messages to hit a single magicband. I have not seen any signs of this either in implementation in the parks, or in any of the data that I've sniffed.. with maybe 1 small exception... There is what I believe to be a tracking ping disney sends out that the magic bands respond to... but this doesn't contain any light up functionality.

Justin Gehring @. <mailto:@.>

On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna @. <mailto:@.>

wrote:

Hi,

Thanks for your quick response. How can we contact directly ? (Using this issue thread under an unrelated github repository is not the best method I believe)

I have a bluetooth sniffer , so I am now trying to sniff between my phone (Disney app) and the magicband. Unfortunately I could not decrypt the packets. If you have experience on this, maybe you can help me with that. Please see here, my question:

https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk

About broadcast messages; I don't have any experience. And I really don't know the usage of hcitool So if you can describe me what these parameters are (which one is the address , service, characteristic etc.) , maybe I can try to replicate them on Arduino , or Java.

hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff 83 01 e9 0c 00 0f 0f 5d 46 5b f0 05 32 37 48 95 cf 8a ad

If Arduino is able to do this, at least I can use broadcast until I discover the codes for unicast (direct) commands.

And lastly, what do you mean by " I was really hoping the Alexa integration would have come out by now" ? Is there an expected Alexa integration for Magicband+ ?

— Reply to this email directly, view it on GitHub < https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2254390927>,

or unsubscribe < https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4>

. You are receiving this because you commented.Message ID: @. <mailto:@.> >

— Reply to this email directly, view it on GitHub < https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2254571123> , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AMIGSAS7FUMLMIB2XTMWLXDZOUK4HAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TCMJSGM> . You are receiving this because you authored the thread. < https://github.com/notifications/beacon/AMIGSAUB6SZ5PTN5PBDH6GTZOUK4HA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGMIDHG.gif> Message ID: @. @.> >

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256768618, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPAOFNWA7XFGLQSMBQLZO2L5JAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG43DQNRRHA . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

Hi,

I’ve solved the issue about compile. Now it compiles, but together with my code it gets too big, and I get the following error:

Sketch uses 1555953 bytes (118%) of program storage space. Maximum is 1310720 bytes.

Global variables use 61080 bytes (18%) of dynamic memory, leaving 266600 bytes for local variables. Maximum is 327680 bytes.

Generic BLE libraries take too much space. I know that because before I had similar issues.

As a solution, I had found an optimized library named NimBLE.

With that library in fact it is easy to create an advertisement, such as:

include "NimBLEDevice.h"

std::string advDataString = / Length / "\x1E"

                        /* Flags             */ "\x02\x01\x1A"

                        /* Manufacturer info */ "\x1A\xFF"

                        /* Custom data       */ "\x83\x01\xE9\x0C\x00\x0F\x0F\x5D\x46\x5B\xF0\x05\x32\x37\x48\x95\xCF\x8A\xAD"; 

NimBLEDevice::init("disney");

NimBLEAdvertising *pAdvertising = NimBLEDevice::getAdvertising(); // create advertising instance

NimBLEAdvertisementData advertisementData;

advertisementData.setManufacturerData(advDataString); // Set the advertisement data

pAdvertising->setAdvertisementData(advertisementData);

pAdvertising->addServiceUUID("ABCD");

pAdvertising->start(); // start advertising

but this did not make any change on the magicband.

Do you see what I am missing here ?

Thanks

From: jjdb210 @.> Sent: 29 Temmuz 2024 Pazartesi 23:05 To: jjdb210/CheesyNipClicker @.> Cc: ilker Aktuna @.>; Author @.> Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth codes (Issue #1)

I see github stripped my email out... to communicate via email so we don't have to deal with that part of the problem, you can email justin at jrcorps dot com.

That said, 2 questions 1) Did you try running the code i have as-is first? Just to make sure it works with your transmitter setup? IE: could you send signals from the console? 2) What version of the IDE are you using? I believe this was originally written for 2.2.1 which shouldn't matter a ton, but might be part of it. We might also not be using the same bluetooth libraries.... I believe my includes might be coming from NimBLE-Arduino by H2zero (avaiable in the library manager I believe).

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @. <mailto:@.>

On Mon, Jul 29, 2024 at 2:47 PM ilker Aktuna @. <mailto:@.> > wrote:

Thanks.

I am trying to get parts of your code to use in my sketch. But I am confused.

To call your class, I have to use the following code:

SimpleBLE ble;

std::string advertisingdata;

advertisingdata = "8301e100e905006f0ef5b0";

advertisingdata = message;

len = advertisingdata.length();

//Serial.printf("AD Length IS: %i \n", len);

for(char i = 0; i < len; i++){

byte extract;

char a = advertisingdata[2*i];

char b = advertisingdata[2*i + 1];

extract = convertCharToHex(a)<<4 | convertCharToHex(b);

raw[i] = extract;

}

ble.begin("");

ble.advertise(raw,len);

But I have to add the class to my code. So I also have to include:

class SimpleBLE {

public:

SimpleBLE(void);

~SimpleBLE(void);

/**

• Start BLE Advertising

• @param[in] localName local name to advertise

• @return true on success

*/

bool begin(String localName=String());

/**

• Advertises data on Manufacturer Data field

• @param[in] data String with the message to be transmitted

• @return true on success

*/

bool advertise(String data);

/**

• Advertises data on Manufacturer Data field

• @param[in] data byte array with the message to be transmitted

• @param[in] size size of the byte array

• @return true on success

*/

bool advertise(byte* data, int size);

/**

• Advertises data on Service Data field

• @param[in] data String with the message to be transmitted

• @return true on success

*/

bool serviceAdvertise(String data);

/**

• Advertises data on Service Data field

• @param[in] data byte array with the message to be transmitted

• @param[in] size size of the byte array

• @return true on success

*/

bool serviceAdvertise(byte* data, int size);

//bool advertise(byte data_man, int size_man, byte data_ser, int size_ser);

//bool advertise(String data_man, String data_ser);

/**

• Stop BLE Advertising

• @return none

*/

void end(void);

private:

void clearAdvertiseData();

void fillManufacturerData(byte* data, int size);

void fillServiceData(byte* data, int size);

private:

String local_name;

private:

};

include "esp32-hal-log.h"

include "esp_bt.h"

include "esp_gap_ble_api.h"

include "esp_gatts_api.h"

include "esp_bt_defs.h"

include "esp_bt_main.h"

define MAX_MANUFACTURER_DATA_SIZE 20

define MAX_SERVICE_DATA_SIZE 11

esp_ble_adv_data_t adv_data; // data that will be advertised

byte dataBuffer[50];

byte dataBuffer2[50];

// Standard parameters

static esp_ble_adv_data_t _adv_config = {

.set_scan_rsp = false,

.include_name = false,

.include_txpower = false,

/*.min_interval = 512,

.max_interval = 1024, */

.appearance = 0,

.manufacturer_len = 0,

.p_manufacturer_data = NULL,

.service_data_len = 0,

.p_service_data = NULL,

.service_uuid_len = 0,

.p_service_uuid = NULL,

.flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT)

};

//

static esp_ble_adv_params_t _adv_params = {

.adv_int_min = 100,

.adv_int_max = 100,

.adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this parameter here: https://www.esp32.com/viewtopic.php?t=2267

.own_addr_type = BLE_ADDR_TYPE_PUBLIC,

.peer_addr = {0x00, },

.peer_addr_type = BLE_ADDR_TYPE_PUBLIC,

.channel_map = ADV_CHNL_ALL,

.adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY,

};

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){

esp_ble_gap_start_advertising(&_adv_params);

}

}

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){

if(!btStarted() && !btStart()){

log_e("btStart failed");

return false;

}

esp_bluedroid_status_t bt_state = esp_bluedroid_get_status();

if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){

if (esp_bluedroid_init()) {

log_e("esp_bluedroid_init failed");

return false;

}

}

if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){

if (esp_bluedroid_enable()) {

log_e("esp_bluedroid_enable failed");

return false;

}

}

if(esp_ble_gap_set_device_name(name)){

log_e("gap_set_device_name failed");

return false;

}

if(esp_ble_gap_config_adv_data(adv_data)){

log_e("gap_config_adv_data failed");

return false;

}

if(esp_ble_gap_register_callback(_on_gap)){

log_e("gap_register_callback failed");

return false;

}

return true;

}

static bool _stop_gap()

{

if(btStarted()){

esp_bluedroid_disable();

esp_bluedroid_deinit();

btStop();

}

return true;

}

/*

• BLE Arduino

• */

SimpleBLE::SimpleBLE()

{

local_name = "esp32";

adv_data = {

.set_scan_rsp = false,

.include_name = false,

.include_txpower = false,

.appearance = 0,

.manufacturer_len = 0,

.p_manufacturer_data = NULL, //manufacturer data is what we will use to broadcast our info

.service_data_len = 0,

.p_service_data = NULL,

.service_uuid_len = 0,

.p_service_uuid = NULL,

.flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1))

};

}

SimpleBLE::~SimpleBLE(void)

{

clearAdvertiseData();

_stop_gap();

}

bool SimpleBLE::begin(String localName)

{

if(localName.length()){

local_name = localName;

}

return _init_gap(local_name.c_str(), &_adv_config);

}

void SimpleBLE::end()

{

_stop_gap();

}

bool SimpleBLE::advertise(String data) {

data.getBytes(dataBuffer, data.length()+1);

return advertise(dataBuffer, data.length());

}

bool SimpleBLE::advertise(byte* data, int size) {

clearAdvertiseData();

fillManufacturerData(data, size);

return _init_gap(local_name.c_str(), &adv_data);

}

bool SimpleBLE::serviceAdvertise(String data) {

data.getBytes(dataBuffer, data.length()+1);

return serviceAdvertise(dataBuffer, data.length());

}

bool SimpleBLE::serviceAdvertise(byte* data, int size) {

clearAdvertiseData();

fillServiceData(data, size);

return _init_gap(local_name.c_str(), &adv_data);

}

void SimpleBLE::clearAdvertiseData() {

if(adv_data.p_manufacturer_data != NULL) {

free(adv_data.p_manufacturer_data);

adv_data.p_manufacturer_data = NULL;

adv_data.manufacturer_len = 0;

}

if(adv_data.p_service_data != NULL) {

free(adv_data.p_service_data);

adv_data.p_service_data = NULL;

adv_data.service_data_len = 0;

}

}

void SimpleBLE::fillManufacturerData(byte* data, int size) {

if(size > MAX_MANUFACTURER_DATA_SIZE)

size = MAX_MANUFACTURER_DATA_SIZE;

adv_data.p_manufacturer_data = (uint8_t ) malloc(sizesizeof(uint8_t));

adv_data.manufacturer_len = size;

memcpy(adv_data.p_manufacturer_data, data, size);

}

void SimpleBLE::fillServiceData(byte* data, int size) {

if(size > MAX_SERVICE_DATA_SIZE)

size = MAX_SERVICE_DATA_SIZE;

adv_data.p_service_data = (uint8_t ) malloc(sizesizeof(uint8_t));

adv_data.service_data_len = size;

memcpy(adv_data.p_service_data, data, size);

}

When I add these, I get the following errors during compile:

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: variable or field '_on_gap' declared void

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: 'esp_gap_ble_cb_event_t' was not declared in this scope

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: note: suggested alternative: 'wifi_prov_cb_event_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

wifi_prov_cb_event_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: error: 'esp_ble_gap_cb_param_t' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: note: suggested alternative: 'esp_sleep_source_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

esp_sleep_source_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: error: 'param' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: note: suggested alternative: 'Stream'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~

Stream

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42: error: 'esp_ble_adv_data_t' has not been declared

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){

^~~~~~

Multiple libraries were found for "WiFi.h"

Used: C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi

Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi

exit status 1

Compilation error: variable or field '_on_gap' declared void

From: jjdb210 @. <mailto:@.> > Sent: 28 Temmuz 2024 Pazar 19:20 To: jjdb210/CheesyNipClicker @. <mailto:@.> > Cc: ilker Aktuna @. <mailto:@.> >; Author @. <mailto:@.> > Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth codes (Issue #1)

Better way to communicate would be to directly email @. <mailto:@.> mailto:***@***.***

As far as decyrpting/figuring out what is going on - You might want to take a look at: https://github.com/DigitalSecurity/btlejuice

As far as Alexa - There was supposed to be a triva game that integrated with the bands that was going to be integrated with Alexa's "Hey Disney" feature. They released Hey Disney a little over a year ago now, and it still has no magicband+ support as far as I'm aware. It's funny, because the MagicBand+ boxes still contain the Amazon Alexa logo on the side of them, despite thie feature still not being released. The only thing that I have at home to Mitm with is my phone, and I'm not 100% certain that's using the BLE features at this point... I haven't jumped down that road, but hope to do that soon.

I have code for both a transmitter and a receiver. I just uploaded the transmitter code to Github:

https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino

The code has a bunch of stuff involving buttons for a wand I built, and was originally built for a Xiao ESP32c3. I'm not sure how cross compatible it is, but hopefully it works for you. That said, there is a debug tool I put into it that allows you to send codes directly over serial... So once, it's loaded into the chip, open the console and paste one of the codes into the serial prompt with your magic band on... For example, if you put in:

8301e100e905006f0ef5b0

it should cause all magicband+ in the area to glow red. A breakdown of the code can be found here: https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen to figure out any additional details while your playing around.. For example, how the timing bits work (I know they exist, I just haven't had time to iterate though and see how they behave), I'd love to get that added to the documentation/wiki.

To your last question: I don't believe that there is anyway to use broadcast messages to hit a single magicband. I have not seen any signs of this either in implementation in the parks, or in any of the data that I've sniffed.. with maybe 1 small exception... There is what I believe to be a tracking ping disney sends out that the magic bands respond to... but this doesn't contain any light up functionality.

Justin Gehring @. <mailto:@.> mailto:***@***.***

On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna @. <mailto:@.> mailto:***@***.***

wrote:

Hi,

Thanks for your quick response. How can we contact directly ? (Using this issue thread under an unrelated github repository is not the best method I believe)

I have a bluetooth sniffer , so I am now trying to sniff between my phone (Disney app) and the magicband. Unfortunately I could not decrypt the packets. If you have experience on this, maybe you can help me with that. Please see here, my question:

https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk

About broadcast messages; I don't have any experience. And I really don't know the usage of hcitool So if you can describe me what these parameters are (which one is the address , service, characteristic etc.) , maybe I can try to replicate them on Arduino , or Java.

hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff 83 01 e9 0c 00 0f 0f 5d 46 5b f0 05 32 37 48 95 cf 8a ad

If Arduino is able to do this, at least I can use broadcast until I discover the codes for unicast (direct) commands.

And lastly, what do you mean by " I was really hoping the Alexa integration would have come out by now" ? Is there an expected Alexa integration for Magicband+ ?

— Reply to this email directly, view it on GitHub < https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2254390927>,

or unsubscribe < https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4>

. You are receiving this because you commented.Message ID: @. <mailto:@.> mailto:***@***.*** >

— Reply to this email directly, view it on GitHub < https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2254571123> , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AMIGSAS7FUMLMIB2XTMWLXDZOUK4HAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TCMJSGM> . You are receiving this because you authored the thread. < https://github.com/notifications/beacon/AMIGSAUB6SZ5PTN5PBDH6GTZOUK4HA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGMIDHG.gif> Message ID: @. <mailto:@.> @. <mailto:@.> > >

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256768618, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPAOFNWA7XFGLQSMBQLZO2L5JAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG43DQNRRHA . You are receiving this because you commented.Message ID: @. <mailto:@.> >

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256796664 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AMIGSAUZG2XEAMPC3I2654DZO2N5RAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG44TMNRWGQ . You are receiving this because you authored the thread. https://github.com/notifications/beacon/AMIGSAXIY74CG5EBGBKH4NTZO2N5RA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGQP57Q.gif Message ID: @. @.> >

[jjdb210]

Try moving the 8301 to the manufacturing info and out of the data packet.

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Mon, Jul 29, 2024 at 3:15 PM ilker Aktuna @.***> wrote:

Hi,

I’ve solved the issue about compile. Now it compiles, but together with my code it gets too big, and I get the following error:

Sketch uses 1555953 bytes (118%) of program storage space. Maximum is 1310720 bytes.

Global variables use 61080 bytes (18%) of dynamic memory, leaving 266600 bytes for local variables. Maximum is 327680 bytes.

Generic BLE libraries take too much space. I know that because before I had similar issues.

As a solution, I had found an optimized library named NimBLE.

With that library in fact it is easy to create an advertisement, such as:

include "NimBLEDevice.h"

std::string advDataString = / Length / "\x1E"

/ Flags / "\x02\x01\x1A"

/ Manufacturer info / "\x1A\xFF"

/ Custom data / "\x83\x01\xE9\x0C\x00\x0F\x0F\x5D\x46\x5B\xF0\x05\x32\x37\x48\x95\xCF\x8A\xAD";

NimBLEDevice::init("disney");

NimBLEAdvertising *pAdvertising = NimBLEDevice::getAdvertising(); // create advertising instance

NimBLEAdvertisementData advertisementData;

advertisementData.setManufacturerData(advDataString); // Set the advertisement data

pAdvertising->setAdvertisementData(advertisementData);

pAdvertising->addServiceUUID("ABCD");

pAdvertising->start(); // start advertising

but this did not make any change on the magicband.

Do you see what I am missing here ?

Thanks

From: jjdb210 @.> Sent: 29 Temmuz 2024 Pazartesi 23:05 To: jjdb210/CheesyNipClicker @.> Cc: ilker Aktuna @.>; Author @.> Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth codes (Issue #1)

I see github stripped my email out... to communicate via email so we don't have to deal with that part of the problem, you can email justin at jrcorps dot com.

That said, 2 questions 1) Did you try running the code i have as-is first? Just to make sure it works with your transmitter setup? IE: could you send signals from the console? 2) What version of the IDE are you using? I believe this was originally written for 2.2.1 which shouldn't matter a ton, but might be part of it. We might also not be using the same bluetooth libraries.... I believe my includes might be coming from NimBLE-Arduino by H2zero (avaiable in the library manager I believe).

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @. <mailto:@.>

On Mon, Jul 29, 2024 at 2:47 PM ilker Aktuna @. <mailto:@.>

wrote:

Thanks.

I am trying to get parts of your code to use in my sketch. But I am confused.

To call your class, I have to use the following code:

SimpleBLE ble;

std::string advertisingdata;

advertisingdata = "8301e100e905006f0ef5b0";

advertisingdata = message;

len = advertisingdata.length();

//Serial.printf("AD Length IS: %i \n", len);

for(char i = 0; i < len; i++){

byte extract;

char a = advertisingdata[2*i];

char b = advertisingdata[2*i + 1];

extract = convertCharToHex(a)<<4 | convertCharToHex(b);

raw[i] = extract;

}

ble.begin("");

ble.advertise(raw,len);

But I have to add the class to my code. So I also have to include:

class SimpleBLE {

public:

SimpleBLE(void);

~SimpleBLE(void);

/**

• Start BLE Advertising

• @param[in] localName local name to advertise

• @return true on success

*/

bool begin(String localName=String());

/**

• Advertises data on Manufacturer Data field

• @param[in] data String with the message to be transmitted

• @return true on success

*/

bool advertise(String data);

/**

• Advertises data on Manufacturer Data field

• @param[in] data byte array with the message to be transmitted

• @param[in] size size of the byte array

• @return true on success

*/

bool advertise(byte* data, int size);

/**

• Advertises data on Service Data field

• @param[in] data String with the message to be transmitted

• @return true on success

*/

bool serviceAdvertise(String data);

/**

• Advertises data on Service Data field

• @param[in] data byte array with the message to be transmitted

• @param[in] size size of the byte array

• @return true on success

*/

bool serviceAdvertise(byte* data, int size);

//bool advertise(byte data_man, int size_man, byte data_ser, int size_ser);

//bool advertise(String data_man, String data_ser);

/**

• Stop BLE Advertising

• @return none

*/

void end(void);

private:

void clearAdvertiseData();

void fillManufacturerData(byte* data, int size);

void fillServiceData(byte* data, int size);

private:

String local_name;

private:

};

include "esp32-hal-log.h"

include "esp_bt.h"

include "esp_gap_ble_api.h"

include "esp_gatts_api.h"

include "esp_bt_defs.h"

include "esp_bt_main.h"

define MAX_MANUFACTURER_DATA_SIZE 20

define MAX_SERVICE_DATA_SIZE 11

esp_ble_adv_data_t adv_data; // data that will be advertised

byte dataBuffer[50];

byte dataBuffer2[50];

// Standard parameters

static esp_ble_adv_data_t _adv_config = {

.set_scan_rsp = false,

.include_name = false,

.include_txpower = false,

/*.min_interval = 512,

.max_interval = 1024, */

.appearance = 0,

.manufacturer_len = 0,

.p_manufacturer_data = NULL,

.service_data_len = 0,

.p_service_data = NULL,

.service_uuid_len = 0,

.p_service_uuid = NULL,

.flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT)

};

//

static esp_ble_adv_params_t _adv_params = {

.adv_int_min = 100,

.adv_int_max = 100,

.adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this parameter here: https://www.esp32.com/viewtopic.php?t=2267

.own_addr_type = BLE_ADDR_TYPE_PUBLIC,

.peer_addr = {0x00, },

.peer_addr_type = BLE_ADDR_TYPE_PUBLIC,

.channel_map = ADV_CHNL_ALL,

.adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY,

};

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){

esp_ble_gap_start_advertising(&_adv_params);

}

}

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){

if(!btStarted() && !btStart()){

log_e("btStart failed");

return false;

}

esp_bluedroid_status_t bt_state = esp_bluedroid_get_status();

if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){

if (esp_bluedroid_init()) {

log_e("esp_bluedroid_init failed");

return false;

}

}

if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){

if (esp_bluedroid_enable()) {

log_e("esp_bluedroid_enable failed");

return false;

}

}

if(esp_ble_gap_set_device_name(name)){

log_e("gap_set_device_name failed");

return false;

}

if(esp_ble_gap_config_adv_data(adv_data)){

log_e("gap_config_adv_data failed");

return false;

}

if(esp_ble_gap_register_callback(_on_gap)){

log_e("gap_register_callback failed");

return false;

}

return true;

}

static bool _stop_gap()

{

if(btStarted()){

esp_bluedroid_disable();

esp_bluedroid_deinit();

btStop();

}

return true;

}

/*

• BLE Arduino

• */

SimpleBLE::SimpleBLE()

{

local_name = "esp32";

adv_data = {

.set_scan_rsp = false,

.include_name = false,

.include_txpower = false,

.appearance = 0,

.manufacturer_len = 0,

.p_manufacturer_data = NULL, //manufacturer data is what we will use to broadcast our info

.service_data_len = 0,

.p_service_data = NULL,

.service_uuid_len = 0,

.p_service_uuid = NULL,

.flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1))

};

}

SimpleBLE::~SimpleBLE(void)

{

clearAdvertiseData();

_stop_gap();

}

bool SimpleBLE::begin(String localName)

{

if(localName.length()){

local_name = localName;

}

return _init_gap(local_name.c_str(), &_adv_config);

}

void SimpleBLE::end()

{

_stop_gap();

}

bool SimpleBLE::advertise(String data) {

data.getBytes(dataBuffer, data.length()+1);

return advertise(dataBuffer, data.length());

}

bool SimpleBLE::advertise(byte* data, int size) {

clearAdvertiseData();

fillManufacturerData(data, size);

return _init_gap(local_name.c_str(), &adv_data);

}

bool SimpleBLE::serviceAdvertise(String data) {

data.getBytes(dataBuffer, data.length()+1);

return serviceAdvertise(dataBuffer, data.length());

}

bool SimpleBLE::serviceAdvertise(byte* data, int size) {

clearAdvertiseData();

fillServiceData(data, size);

return _init_gap(local_name.c_str(), &adv_data);

}

void SimpleBLE::clearAdvertiseData() {

if(adv_data.p_manufacturer_data != NULL) {

free(adv_data.p_manufacturer_data);

adv_data.p_manufacturer_data = NULL;

adv_data.manufacturer_len = 0;

}

if(adv_data.p_service_data != NULL) {

free(adv_data.p_service_data);

adv_data.p_service_data = NULL;

adv_data.service_data_len = 0;

}

}

void SimpleBLE::fillManufacturerData(byte* data, int size) {

if(size > MAX_MANUFACTURER_DATA_SIZE)

size = MAX_MANUFACTURER_DATA_SIZE;

adv_data.p_manufacturer_data = (uint8_t ) malloc(sizesizeof(uint8_t));

adv_data.manufacturer_len = size;

memcpy(adv_data.p_manufacturer_data, data, size);

}

void SimpleBLE::fillServiceData(byte* data, int size) {

if(size > MAX_SERVICE_DATA_SIZE)

size = MAX_SERVICE_DATA_SIZE;

adv_data.p_service_data = (uint8_t ) malloc(sizesizeof(uint8_t));

adv_data.service_data_len = size;

memcpy(adv_data.p_service_data, data, size);

}

When I add these, I get the following errors during compile:

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:

error: variable or field '_on_gap' declared void

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:

error: 'esp_gap_ble_cb_event_t' was not declared in this scope

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:

note: suggested alternative: 'wifi_prov_cb_event_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

wifi_prov_cb_event_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:

error: 'esp_ble_gap_cb_param_t' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:

note: suggested alternative: 'esp_sleep_source_t'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~~

esp_sleep_source_t

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:

error: 'param' was not declared in this scope

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:

note: suggested alternative: 'Stream'

static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){

^~~~~

Stream

C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42:

error: 'esp_ble_adv_data_t' has not been declared

static bool _init_gap(const char name, esp_ble_adv_data_t adv_data){

^~~~~~

Multiple libraries were found for "WiFi.h"

Used:

C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi

Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi

exit status 1

Compilation error: variable or field '_on_gap' declared void

From: jjdb210 @. <mailto:@.> > Sent: 28 Temmuz 2024 Pazar 19:20 To: jjdb210/CheesyNipClicker @. <mailto:@.> > Cc: ilker Aktuna @. <mailto:@.> >; Author @. <mailto:@.> > Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth codes (Issue #1)

Better way to communicate would be to directly email @. <mailto:@.> mailto:***@***.***

As far as decyrpting/figuring out what is going on - You might want to take a look at: https://github.com/DigitalSecurity/btlejuice

As far as Alexa - There was supposed to be a triva game that integrated with the bands that was going to be integrated with Alexa's "Hey Disney" feature. They released Hey Disney a little over a year ago now, and it still has no magicband+ support as far as I'm aware. It's funny, because the MagicBand+ boxes still contain the Amazon Alexa logo on the side of them, despite thie feature still not being released. The only thing that I have at home to Mitm with is my phone, and I'm not 100% certain that's using the BLE features at this point... I haven't jumped down that road, but hope to do that soon.

I have code for both a transmitter and a receiver. I just uploaded the transmitter code to Github:

https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino

The code has a bunch of stuff involving buttons for a wand I built, and was originally built for a Xiao ESP32c3. I'm not sure how cross compatible it is, but hopefully it works for you. That said, there is a debug tool I put into it that allows you to send codes directly over serial... So once, it's loaded into the chip, open the console and paste one of the codes into the serial prompt with your magic band on... For example, if you put in:

8301e100e905006f0ef5b0

it should cause all magicband+ in the area to glow red. A breakdown of the code can be found here: https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen to figure out any additional details while your playing around.. For example, how the timing bits work (I know they exist, I just haven't had time to iterate though and see how they behave), I'd love to get that added to the documentation/wiki.

To your last question: I don't believe that there is anyway to use broadcast messages to hit a single magicband. I have not seen any signs of this either in implementation in the parks, or in any of the data that I've sniffed.. with maybe 1 small exception... There is what I believe to be a tracking ping disney sends out that the magic bands respond to... but this doesn't contain any light up functionality.

Justin Gehring @. <mailto:@.> mailto:***@***.***

On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna @. <mailto:@.> mailto:***@***.***

wrote:

Hi,

Thanks for your quick response. How can we contact directly ? (Using this issue thread under an unrelated github repository is not the best method I believe)

I have a bluetooth sniffer , so I am now trying to sniff between my phone (Disney app) and the magicband. Unfortunately I could not decrypt the packets. If you have experience on this, maybe you can help me with that. Please see here, my question:

https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk

About broadcast messages; I don't have any experience. And I really don't know the usage of hcitool So if you can describe me what these parameters are (which one is the address , service, characteristic etc.) , maybe I can try to replicate them on Arduino , or Java.

hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff 83 01 e9 0c 00 0f 0f 5d 46 5b f0 05 32 37 48 95 cf 8a ad

If Arduino is able to do this, at least I can use broadcast until I discover the codes for unicast (direct) commands.

And lastly, what do you mean by " I was really hoping the Alexa integration would have come out by now" ? Is there an expected Alexa integration for Magicband+ ?

— Reply to this email directly, view it on GitHub <

https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2254390927>,

or unsubscribe <

https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4>

. You are receiving this because you commented.Message ID: @. <mailto:@.> mailto:***@***.*** >

— Reply to this email directly, view it on GitHub <

https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2254571123>

, or unsubscribe <

https://github.com/notifications/unsubscribe-auth/AMIGSAS7FUMLMIB2XTMWLXDZOUK4HAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TCMJSGM>

. You are receiving this because you authored the thread. <

https://github.com/notifications/beacon/AMIGSAUB6SZ5PTN5PBDH6GTZOUK4HA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGMIDHG.gif>

Message ID: @. <mailto:@.> @. <mailto:@.>

— Reply to this email directly, view it on GitHub < https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256768618>,

or unsubscribe < https://github.com/notifications/unsubscribe-auth/AFTUZPAOFNWA7XFGLQSMBQLZO2L5JAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG43DQNRRHA>

. You are receiving this because you commented.Message ID: @. <mailto:@.> >

— Reply to this email directly, view it on GitHub < https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256796664> , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AMIGSAUZG2XEAMPC3I2654DZO2N5RAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG44TMNRWGQ> . You are receiving this because you authored the thread. < https://github.com/notifications/beacon/AMIGSAXIY74CG5EBGBKH4NTZO2N5RA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGQP57Q.gif> Message ID: @. @.> >

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256814578, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPGCP3CBJD5F35B6GADZO2PG7AVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWHAYTINJXHA . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

do you mean like this : std::string advDataString = / Length / "\x1E"
/ Flags / "\x02\x01\x1A" / Manufacturer info / "\x1A\xFF\x83\x01" / Custom data / "\xE9\x0C\x00\x0F\x0F\x5D\x46\x5B\xF0\x05\x32\x37\x48\x95\xCF\x8A\xAD";

NimBLEDevice::init("disney"); NimBLEAdvertising *pAdvertising = NimBLEDevice::getAdvertising(); // create advertising instance NimBLEAdvertisementData advertisementData;
advertisementData.setManufacturerData(advDataString); // Set the advertisement data pAdvertising->setAdvertisementData(advertisementData); pAdvertising->addServiceUUID("ABCD"); pAdvertising->start(); // start advertising

[ilker-aktuna]

that didn't change anything.

I am looking at NimBLE reference here: https://h2zero.github.io/NimBLE-Arduino/class_nim_b_l_e_advertising.html

there are setManufacturerData and setAdvertisementData methods but I am not sure how to use these in compliance with your recommendation.

[jjdb210]

This might be hard to diagnose without being able to see the packet that is being produced from something like wireshark. You may also run into problems using this library due to the disney advertising packets technically being out-of-spec.

In theory the manufacture data should be 8301. In some situations I've had to enter it as 0183 depending on how the library is translating the little endianness of it all. The advertisement data should be then something like: e100e905006f0ef5b0 (that's a short enough code that it should work even if nimble requires it to be in spec)

If you generate that packet and listen with your sniffer using something like wireshark, I'd like to see the packet it generates and I might be able to tell you then what's wrong.

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Mon, Jul 29, 2024 at 3:49 PM ilker Aktuna @.***> wrote:

that didn't change anything.

I am looking at NimBLE reference here: https://h2zero.github.io/NimBLE-Arduino/class_nim_b_l_e_advertising.html

there are setManufacturerData and setAdvertisementData methods but I am not sure how to use these in compliance with your recommendation.

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256921908, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPGM6IOGO7LE6OGNHADZO2THDAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWHEZDCOJQHA . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

but I am checking your code and as far as I understand, your code is sending all data as manufacture data So as my example. I don't see the difference. But then both of them do not work for me. Maybe my magicband is a different version ???

[ilker-aktuna]

about sniffing; I have a nrf 52840 bluetooth sniffer and I can sniff with it using wireshark, but I don't know which packets are advertisement packets. I mostly have experience with btatt protocol which is not advertisment.

[jjdb210]

Noted. I'm going to try to get this working with Nimble on my stream here in a few minutes. If time allows (I don't have a ton of time tonight), I'll also take a stab at getting the gatt stuff worked out. If you want to chat in real time, stop by! http://twitch.tv/jjdb210

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Mon, Jul 29, 2024 at 4:16 PM ilker Aktuna @.***> wrote:

about sniffing; I have a nrf 52840 bluetooth sniffer and I can sniff with it using wireshark, but I don't know which packets are advertisement packets. I mostly have experience with btatt protocol which is not advertisment.

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2257023099, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPHH4R42LYDWDX3UASDZO2WLLAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJXGAZDGMBZHE . You are receiving this because you commented.Message ID: @.***>

[jjdb210]

This code should work:

include

void setup() { NimBLEDevice::init(""); NimBLEAdvertising pAdvertising = NimBLEDevice::getAdvertising(); // create advertising instance //e100e905006f0ef5b0 uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x05, 0x00, 0x6f, 0x 0e, 0xf5, 0xb0}; NimBLEAdvertisementData oAdvertisementCustom = NimBLEAdvertisementData() ; oAdvertisementCustom.setManufacturerData(std::string((char )&Adv_DATA[0], 11)); pAdvertising->setAdvertisementData(oAdvertisementCustom); pAdvertising->start(); // start advertising }

void loop() { // put your main code here, to run repeatedly:

}

If you want to see how i made it work (and maybe a little before this timestamp): https://www.twitch.tv/videos/2210748966?t=1h9m30s

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Mon, Jul 29, 2024 at 4:03 PM ilker Aktuna @.***> wrote:

but I am checking your code and as far as I understand, your code is sending all data as manufacture data So as my example. I don't see the difference. But then both of them do not work for me. Maybe my magicband is a different version ???

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2256978078, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPFVE5LDRWD42L3XQQ3ZO2UYRAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWHE3TQMBXHA . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

this code seems to work (at least it does something, I didn't check if it was the correct behaviour) Magicband leds turned on (red) thank you.

how do I turn off the leds now ?

btw, I can't find your email address , so I am still writing here. My email address is my name + .info@gmail.com So it is i___a.info@gmail.com (no dash between name and surname)

[ilker-aktuna]

I just made some more tests. The code you provide makes the band leds red. But I have 2 issues:

1. it always makes the band "red" , I tried to change "6f" to other colors but it always makes red. So I assume it is not working as expected. uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x05, 0x00, **0x6f**, 0x0e, 0xf5, 0xb0};

for example I tried: uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x05, 0x00, 0x7a, 0x0e, 0xf5, 0xb0}; expecting lime green according to your color palette. but it was "red" again.

3. any other code I try from your examples, do not work I tried:

   //e100e9080065d255005500b0 - custom color
   //uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x08, 0x00, 0x65, 0xd2, 0x55, 0x00, 0x55, 0x00, 0xb0}; 
   //e9 0b 0b 0f 0f 5c 5d 48 a5 d1 45 32 05 - circle animation
   //uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x0b, 0x0b, 0x0f, 0x0f, 0x5c, 0x5d, 0x48, 0xa5, 0xd1, 0x45, 0x32, 0x05}; 

any idea about what's happening ?

[jjdb210]

Make sure if you change the size of the array, that you update the 11 to the proper value of data being sent (same number of elements that is in the array).

As far as the changing the code not changing the color... 2 notes on that:

1) Only 5 of the bits are being used, which makes the math a little funny... I'm not sure which 5 off the top of my head... but based on it being red... Try 5f and see what happens.

2) The other thing that might be happening, is if the beacon isn't getting fully cleared, you might be still sending the red beacon, even after sending something else... I'm not in a place I can test that at a moment, but I'll see if I can rig up some other sample code. There's also a timing variable, so it might be a really long red, so it may take a bit before it refreshes. If the band leds are off though, it should grab the code pretty quick.

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Tue, Jul 30, 2024 at 3:13 AM ilker Aktuna @.***> wrote:

I just made some more tests. The code you provide makes the band leds red. But I have 2 issues:

1. it always makes the band "red" , I tried to change "6f" to other colors but it always makes red. So I assume it is not working as expected. uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x05, 0x00, 0x6f, 0x0e, 0xf5, 0xb0};
2. any other code I try from your examples, do not work I tried:

//e100e9080065d255005500b0 - custom color //uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x08, 0x00, 0x65, 0xd2, 0x55, 0x00, 0x55, 0x00, 0xb0}; //e9 0b 0b 0f 0f 5c 5d 48 a5 d1 45 32 05 - circle animation //uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x0b, 0x0b, 0x0f, 0x0f, 0x5c, 0x5d, 0x48, 0xa5, 0xd1, 0x45, 0x32, 0x05};

any idea about what's happening ?

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2257744988, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPCIU6NIPCMLVO4G36LZO5DLHAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJXG42DIOJYHA . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

Make sure if you change the size of the array, that you update the 11 to the proper value of data being sent (same number of elements that is in the array).

Ok. That was something I missed. Sorry. Circle animation works if I change the 11 to 17.

As far as the changing the code not changing the color... 2 notes on that:

1) Only 5 of the bits are being used, which makes the math a little funny... I'm not sure which 5 off the top of my head... but based on it being red... Try 5f and see what happens.

well, I did the math there. Your example 6f is 0110 1111 bottom 5 bits : 01111 , decimal 15 , shows as "pink" in your table -> I get "red" (ok, maybe that's pink, let's say)

So I changed it to 7a , which is 0111 1010 bottom 5 bits : 11010 , decimal 26 , should be "lime green" but I still get "red"

You suggest 5f , I tried that and still get "red"

what am I doing wrong ?

2) The other thing that might be happening, is if the beacon isn't getting fully cleared, you might be still sending the red beacon, even after sending something else... I'm not in a place I can test that at a moment, but I'll see if I can rig up some other sample code. There's also a timing variable, so it might be a really long red, so it may take a bit before it refreshes. If the band leds are off though, it should grab the code pretty quick.

well I powered off the esp32 module several times. So beacon is certainly cleared. And I tried with long durations between my tests. (2-3 hours later etc.) Also, after each "advertisement" , I put a 10 second delay and then stop the advertisement:

pAdvertising->start(); // start advertising 
delay(10000);
pAdvertising->stop();

and the led goes off. I am not sure if this is the ideal way to stop the leds, but it works.

[ilker-aktuna]

I just tried the "Single 6-bit color" command and it works. So in fact do we really need the "Single Color From Pallette Function" ?

How do we make a circle animation with custom color ?

[jjdb210]

Single 6 bit color can absolutely be used instead of the palette one... Just an option.

As far as the animation goes.. I do have a few more notes that I'll try to get up to the wiki... but a lot of this stuff I haven't fully reversed engineered... And even the ones I have, I'm still missing details on what a lot of the other bits do. You'll likely have to do a bit of guess and check. I also have recordings of all the codes from all the shows disney currently has (drone show, 2 castle shows, 2 or 3 epcot shows, and fantasmic). I'll see if I can get those on the Wiki eventually as well... That would give you more codes to play with.

That said, I would say a majority of the animation functions I've come across seem to rely on the palette colors.

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Tue, Jul 30, 2024 at 5:15 PM ilker Aktuna @.***> wrote:

I just tried the "Single 6-bit color" command and it works. So in fact do we really need the "Single Color From Pallette Function" ?

How do we make a circle animation with custom color ?

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2259298312, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPHQFSGSIQZNJZP6VGLZPAGAJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJZGI4TQMZRGI . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

ok. in that case, understanding palette colors and their usage is really important. I still could not change the color from red to any other color by playing with "6f". If you have any advise on this , please let me know.

Also, what is the "5 Color Pallet" example in your wiki actually doing ? A full command might look like this: e9 08 00 f4 0f a0 a4 b9 b9 a4

I am mostly interested in ;

1. adding vibration to any single color
2. changing color of a circle animation (with or without vibration)

If you have any ideas on achieving these (even trial & error) , I'd really like to test.

and, last but not least, I really would like to use single device control (like we do on the disney app when selecting color theme) any ideas on that ? I tried to sniff the traffic with nrf52840 sniffer but it was encrypted and I could not get a LTK to decrypt.

Probably the Disney app has an hardcoded LTK and without it we can not decrypt the BLE traffic from/to Disney app. Do you know how to sniff traffic on Android phone ? Maybe from that perspective, it could be sniffed with no encryption ?

[jjdb210]

1. I don't know if all the "functions" have a parameter for vibration.. Other than color, I haven't reversed most of the other bits... I believe the only code I have that vibrates that I've documented is this one: e9 12 00 01 0f bc bd bd bd bd 30 d0 37 f4 d2 46 00 00 fc bb

I don't remember though what bits messed with vibration. At the moment, I dont have any plans to delve into that, but I might run into it when I get around to figuring out the timing bits for some of these functions. If you have any success in isolating anything let me know!

In that animation code, I can tell you that the part I put in bold is where the colors are I believe.

2. As far as direct connecting, I'm working on getting a bluetooth man-in-the-middle setup going, but have no ETA/timeline to get it working. I started working on modifying 2 PiZero W's for the project last night, but dont know 1) if the pi's will support this without usb dongles or 2) what other hurdles i'm likely to run into.

If I find anything out, I'll let you know.

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Wed, Jul 31, 2024 at 5:05 AM ilker Aktuna @.***> wrote:

ok. in that case, understanding palette colors and their usage is really important. I still could not change the color from red to any other color by playing with "6f". If you have any advise on this , please let me know.

Also, what is the "5 Color Pallet" example in your wiki actually doing ? A full command might look like this: e9 08 00 f4 0f a0 a4 b9 b9 a4

I am mostly interested in ;

1. adding vibration to any single color
2. changing color of a circle animation (with or without vibration)

If you have any ideas on achieving these (even trial & error) , I'd really like to test.

and, last but not least, I really would like to use single device control (like we do on the disney app when selecting color theme) any ideas on that ? I tried to sniff the traffic with nrf52840 sniffer but it was encrypted and I could not get a LTK to decrypt.

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2260146614, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPDSZN7FHYXZDINAU43ZPCZGNAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRQGE2DMNRRGQ . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

ok. let's leave vibration for now. what about changing colors ? I even could not change the color in "Single Color From Pallette Function" example. Are you able to change it ? Can you give me an example which will output any color other than red in this: 8301e100e905006f0ef5b0

Btw, what is the "5 Color Pallet" example in your wiki actually doing ? A full command might look like this: e9 08 00 f4 0f a0 a4 b9 b9 a4

about direct connection; I see what you are trying to do with 2 RPI sniffing solution. But I have a better sniffing setup and I am already able to sniff. But without a LTK the messages are encrypted. Do you know how to get the LTK ? mb.zip

I am attaching the capture file that I have already captured. If you can get the LTK from the pairing phase in this file, then we can decrypt the messages.

[jjdb210]

I may be wrong, but I dont think there is going to be a way to use a passive sniffer to decode the LTK for a paired magicband. I do have a passive sniffer with wireshark as well which is how I got most of the bluetooth stuff for the broadcast messages, as well as a custom recorder I built for recording the shows at disney... But none of that has proven useful in determining what the phone and the magicband are doing once paired. It might be possible to do it with a MITM setup like I'm working on getting going, but this assumes they aren't using some of the latest protections against MITM.

That said, I believe Disney actually created 3 ways to communicate with the bands... paired is likely the coolest, but also the most dangerous in my mind, in terms of being able to do damage to the magicband, so I haven't even taken a look at it...

Method 1. We have the broadcast method, which you've now seen.

Method 2. We have unpaired GATT/ATT communication, which is why I'm working on a MITM setup... because there is a way to get data from, and communicate with these magic bands without using broadcast messages and without using pairing... It's seen whenever the bands interact with the statues at the park. The statues are able to "tell" the bands they are nearby, and the the bands are able to reply to the statues that a wave has occurred, without any pairing. I believe this is also used to detect nearby bands prior to pairing. I don't have any idea just how much control there is here, but there definitely is some. My plan at the moment is to maybe take the MITM device in hopes of capturing what the statues are doing.

Method 3. Then we have paired communication, which includes the ability to replace the firmware, and sideload applications onto the magicband. It's seen whenever the phone updates the firmware for the device, or in Galaxy's edge when you go bounty hunting and it seems to sideload the tracking app. It sounds like that is what you are trying to sniff out... I don't have a ton to contribute on this method at this point either, and I probably won't be targeting it anytime soon, unless the MITM setup I'm putting together happens to work for it as well.

That said at this point I have nothing to point you in the right direction regarding method 2 or 3 that I haven't yet shared.

With regards to the solid color function (e905) - My apologies... my wiki was wrong... It's the second to last tuple that controls color... Here's the samples:

• 8301e100e905006f0ef5b0 - Red
• 8301e100e905006f0ef4b0 - Whitish Blue:
• 8301e100e905006f0efbb0 - Orangeish red
• 8301e100e905006f0ee0b0 - cyan
• 8301e100e905006f0ee1b0 - purple

As a note - the extra 3 bits do have an impact on the pattern shown as well... For example, if you use D instead of F, only the upper right LED is going to light. I don't entirely understand any of the other bits, and looking at the wiki my documentation might be wrong here too regarding what using other upper level bits will do.

Sorry for the confusion on that part... Hope it helps!

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Wed, Jul 31, 2024 at 4:36 PM ilker Aktuna @.***> wrote:

ok. let's leave vibration for now. what about changing colors ? I even could not change the color in "Single Color From Pallette Function" example. Are you able to change it ? Can you give me an example which will output any color other than red in this: 8301e100e905006f0ef5b0

Btw, what is the "5 Color Pallet" example in your wiki actually doing ? A full command might look like this: e9 08 00 f4 0f a0 a4 b9 b9 a4

about direct connection; I see what you are trying to do with 2 RPI sniffing solution. But I have a better sniffing setup and I am already able to sniff. But without a LTK the messages are encrypted. Do you know how to get the LTK ? mb.zip https://github.com/user-attachments/files/16447385/mb.zip

I am attaching the capture file that I have already captured. If you can get the LTK from the pairing phase in this file, then we can decrypt the messages.

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2261503173, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPFEFBR2WGXCBSXVMZTZPFKGVAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRRGUYDGMJXGM . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

I may be wrong, but I dont think there is going to be a way to use a
passive sniffer to decode the LTK for a paired magicband.

well in fact, I am doing pairing in each sniff session. But still I am not able to get the LTK. I am not able to do the MITM setup right now. (I have a few spare RPI but I am going on a vacation and don't have the time to prepare the setup) If you find anything, please let me know.

about color palette; thanks for clarifying it. Now I can use that command. But I still have a question about use of color palette in other commands. For example, what is the "5 Color Pallet" example in your wiki actually doing ? e9 08 00 f4 0f a0 a4 b9 b9 a4

[jjdb210]

e908 is the function setting each LED a different palette based color. The bottom 5 bits of the last 5 tuples are each 1 LED on the magic band... I feel like there is timing tuple in there, and possibly some sort of pattern... but other than the color bits, I'm not entirely sure what else it can do.

e9 - Identifier for magic band - Not sure if this does anything other than start the code. e8 - Appears to be a function call based on comparison with other codes. 00 - Unknown, could be a spacer based on it showing up in pretty much every code. f4 - Unknown - Possibly Time Related 0f - Partially Unknown - May be partially "Pattern" a0 - Partially Pattern, bottom 5 bits are First palette based color a4 - Second Color, bottom 5 bits are second palette based color b9 - Third Color, bottom 5 bits are third palette based color b9 - Fourth Color, bottom 5 are fourth palette based color a4 - Fifth Color

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Thu, Aug 1, 2024 at 8:00 AM ilker Aktuna @.***> wrote:

I may be wrong, but I dont think there is going to be a way to use a passive sniffer to decode the LTK for a paired magicband.

well in fact, I am doing pairing in each sniff session. But still I am not able to get the LTK. I am not able to do the MITM setup right now. (I have a few spare RPI but I am going on a vacation and don't have the time to prepare the setup) If you find anything, please let me know.

about color palette; thanks for clarifying it. Now I can use that command. But I still have a question about use of color palette in other commands. For example, what is the "5 Color Pallet" example in your wiki actually doing ? e9 08 00 f4 0f a0 a4 b9 b9 a4

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2262980335, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPAH3IIFPBXMNDSXGS3ZPIWORAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRSHE4DAMZTGU . You are receiving this because you commented.Message ID: @.***>

[ilker-aktuna]

hi,

I am trying to do the same on an Android app. And normally the following code should work. But it does not.

   ```

BluetoothLeAdvertiser mBluetoothLeAdvertiser = mBTAdapter.getBluetoothLeAdvertiser(); AdvertiseData.Builder dataBuilder = new AdvertiseData.Builder(); String s = "8301e100e90800f40ffca1b1a4b1"; byte[] b = new byte[s.length() / 2]; for (int i = 0; i < b.length; i++) { int index = i * 2; int v = Integer.parseInt(s.substring(index, index + 2), 16); b[i] = (byte) v; } dataBuilder.addManufacturerData(224 , b);

    AdvertiseSettings.Builder settingsBuilder = new AdvertiseSettings.Builder();
    settingsBuilder.setTimeout(0); //set to 0 to continously advertise

    if (ActivityCompat.checkSelfPermission(this, Manifest.permission.BLUETOOTH_ADVERTISE) != PackageManager.PERMISSION_GRANTED) {
        requestPermissions(new String[]{Manifest.permission.BLUETOOTH_ADVERTISE}, 1);

        return;
    }
    mBluetoothLeAdvertiser.startAdvertising(settingsBuilder.build(), dataBuilder.build(), new AdvertiseCallback() {
        @Override
        public void onStartSuccess(AdvertiseSettings settingsInEffect) {
            super.onStartSuccess(settingsInEffect);
        }
        @Override
        public void onStartFailure(int errorCode) {
            super.onStartFailure(errorCode);
        }
    });

Do you have any idea what's wrong ?

the "addManufacturerData" on Android BLE requires 2 parameters:
1. manufacturerId (integer) 
2. manufacturerSpecificData (byte)

I don't know what to use as manufacturerId.
From your guide I understand that it is 0x83 0x01 but how should I put it in an integer ?

[jjdb210]

The official ID for Disney is 0x0183... If the field is taking it as an int, I would try inputting 387. Then sniff the packets and confirm that wireshark is seeing the company id as Walt Disney (it's a registered code, so Wireshark will ID it):

[image: image.png]

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Thu, Aug 8, 2024 at 7:12 AM ilker Aktuna @.***> wrote:

hi,

I am trying to do the same on an Android app. And normally the following code should work. But it does not.

BluetoothLeAdvertiser mBluetoothLeAdvertiser =
mBTAdapter.getBluetoothLeAdvertiser();
AdvertiseData.Builder dataBuilder = new AdvertiseData.Builder();
String s = "8301e100e90800f40ffca1b1a4b1";
byte[] b = new byte[s.length() / 2];
for (int i = 0; i < b.length; i++) {
int index = i * 2;
int v = Integer.parseInt(s.substring(index, index + 2), 16);
b[i] = (byte) v;
}
dataBuilder.addManufacturerData(224 , b);

    AdvertiseSettings.Builder settingsBuilder = new AdvertiseSettings.Builder();
    settingsBuilder.setTimeout(0); //set to 0 to continously advertise

    if (ActivityCompat.checkSelfPermission(this, Manifest.permission.BLUETOOTH_ADVERTISE) != PackageManager.PERMISSION_GRANTED) {
        requestPermissions(new String[]{Manifest.permission.BLUETOOTH_ADVERTISE}, 1);

        return;
    }
    mBluetoothLeAdvertiser.startAdvertising(settingsBuilder.build(), dataBuilder.build(), new AdvertiseCallback() {
        @Override
        public void onStartSuccess(AdvertiseSettings settingsInEffect) {
            super.onStartSuccess(settingsInEffect);
        }
        @Override
        public void onStartFailure(int errorCode) {
            super.onStartFailure(errorCode);
        }
    });

Do you have any idea what's wrong ?

the "addManufacturerData" on Android BLE requires 2 parameters:
1. manufacturerId (integer)
2. manufacturerSpecificData (byte)

I don't know what to use as manufacturerId.
From your guide I understand that it is 0x83 0x01 but how should I put it in an integer ?

—
Reply to this email directly, view it on GitHub
<https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2275668694>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPDAWU55TWKGJELHHTTZQNOBPAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZVGY3DQNRZGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>

[ilker-aktuna]

yes that worked ! full working code:

BluetoothLeAdvertiser mBluetoothLeAdvertiser = mBTAdapter.getBluetoothLeAdvertiser();
        AdvertiseData.Builder dataBuilder = new AdvertiseData.Builder();

        String hexString = "e100e90c000f0f5d465bf005323748b0";
        int len = hexString.length();
        byte[] data = new byte[len / 2];

        for (int i = 0; i < len; i += 2) {
            data[i / 2] = (byte) ((Character.digit(hexString.charAt(i), 16) << 4)
                    + Character.digit(hexString.charAt(i+1), 16));
        }

        dataBuilder.addManufacturerData(387 , data);

        AdvertiseSettings.Builder settingsBuilder = new AdvertiseSettings.Builder();
        settingsBuilder.setTimeout(1000); //set to 0 to continously advertise

        if (ActivityCompat.checkSelfPermission(this, Manifest.permission.BLUETOOTH_ADVERTISE) != PackageManager.PERMISSION_GRANTED) {
            requestPermissions(new String[]{Manifest.permission.BLUETOOTH_ADVERTISE}, 1);
            return;
        }
        mBluetoothLeAdvertiser.startAdvertising(settingsBuilder.build(), dataBuilder.build(), new AdvertiseCallback() {
            @Override
            public void onStartSuccess(AdvertiseSettings settingsInEffect) {
                super.onStartSuccess(settingsInEffect);
            }
            @Override
            public void onStartFailure(int errorCode) {
                super.onStartFailure(errorCode);
            }
        });

[ilker-aktuna]

thanks again. do you have any progress about direct messages (GATT/ATT) ?

[jjdb210]

Not yet.

Justin Gehring PH: 651-208-8797 FX: 866-572-6777 @.***

On Thu, Aug 8, 2024 at 8:49 AM ilker Aktuna @.***> wrote:

thanks again. do you have any progress about direct messages (GATT/ATT) ?

— Reply to this email directly, view it on GitHub https://github.com/jjdb210/CheesyNipClicker/issues/1#issuecomment-2275882062, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTUZPEUHETRPJ3L7RCRKKLZQNZNPAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZVHA4DEMBWGI . You are receiving this because you commented.Message ID: @.***>