So I have read through at least 50 threads and 10 PDFs to get this far. I also realized that I had to do everything on a 32bit machine since that is the only driver available for the Rant.
So here is a little background on what I have done so far. I rooted the Evo shift easily since it came with the stock 2.2 and installed the newest clockwork and Cyanogen Mod 7 R2. I also updated to the lastest radio (found it here in a thread and it came with an updated WiMax and touchscreen).
I managed to successfully transfer the ESN/MEID. I tried searching and realized it was futile when a new radio that no one knew the locations were. FINALLY, I found someone mentioned a method using EFS and got it to work. After the code 16 error, reactivating on boost mobile, my phone now accepts calls and messages no problem, however 3G is another story.
So some questions:
1. I noticed that my home address is not 0.0.0.0 like most of the guides out there but actually 0.0.0.1 for both profile 1 and 0. Is that okay?
2. My SPI for both profile 1 and 0 were blank and NOT 4D2. Is that okay?
3. My "Rev tunnel preferred" for both profile 1 and 0 were not checked. Is that okay?
4. Should the password for profile 0 and 1 (both HA and AAA) be the same or different? Something I thought I should ask.
Right now, I am going to find a Rom that comes with sense since it has been a pain to use the terminal in order to turn diag on in CM7. Also I am going to try rewriting the 465 and 466 files to the Evo again (I had a rant so 1192 and 1194 were useless essentially BUT I did transfer them over).
Thanks for all the views and help,
Alan
Have you tried THIS thread.
this guy apparently helps people switch their phones over too, i havent done it myself but worth a look:
https://www.facebook.com/groups/294474680575872/
So it seems that my new issue is that my HA and AAA passwords for both profiles refuse to save in QPST.
I downloaded the 465 and 466. 1192 and 1194 refused to write (I have a Rant but not sure if that makes a difference)
I also loaded a sense rom so I could get access to the regular commands.
Is there something I am missing? I entered the MPL password and then enter all the information in the MIP tab and set profile to 0. I click write and get this error
nv_ue_imei_i nv_read only's error
and when I go back to reading the phone when it reboots, nothing has changed.
alansupra94 said:
So it seems that my new issue is that my HA and AAA passwords for both profiles refuse to save in QPST.
I downloaded the 465 and 466. 1192 and 1194 refused to write (I have a Rant but not sure if that makes a difference)
I also loaded a sense rom so I could get access to the regular commands.
Is there something I am missing? I entered the MPL password and then enter all the information in the MIP tab and set profile to 0. I click write and get this error
nv_ue_imei_i nv_read only's error
and when I go back to reading the phone when it reboots, nothing has changed.
Click to expand...
Click to collapse
Just to let everyone know, I finally got the phone to work. 3G is REALLY slow but works. So does the phone and messages.
I actually got it to work using DFS 3.3.0.7 which can be found with searching (cough 4shared cough).
I pretty much swapped the ESN, flashed a completely stock 2.2 rom and then did a reset (##rsn#). After that it started working. Granted, I changed all the settings in DFS 3.3.0.7 before.
Hey alansupra94 can u give me a little bit more help on what to do with dfs? If u could pm me that would be great! I have been trying to get this for a day or so no luck! Thanks
Sent from my PG06100 using XDA
jerebediah said:
Hey alansupra94 can u give me a little bit more help on what to do with dfs? If u could pm me that would be great! I have been trying to get this for a day or so no luck! Thanks
Sent from my PG06100 using XDA
Click to expand...
Click to collapse
Sent you a pm.
Just to let everyone know, I figured out the problem. The Rant was never provisioned to get 3G and refused to on Boost Mobile. Got an Incognito and problem solved.
alansupra94 can you write a guide on this please?
Hello all, this is my first post here!
In this article I will explain my method of hacking the Square G-Shocks that make use of a Bluetooth module (I have a GW-B5600, but it should theoretically work on the GMW-B5000 too) with the goal to create our own Android app that will allow to get info and set the watch via BLE (Bluetooth Low Energy) commands/requests.
The tools I am using are: (sorry no link I am too new)
nRF Connect for Android by Nordic Semiconductor from the Play Store
Wireshark desktop (Windows/Mac) from the official website
The official "G-Shock Connected" Android app from the Play Store
And adb that can be found in the Android platform tools (by default in "C:\Users\usrname\AppData\Local\Android\Sdk\platform-tools")
Your phone does not need to be rooted but needs the Developer options enabled.
1 Discover the services offered by the G-Shock
I am using nRF Connect installed from the Play Store to scan for BT devices.
Long-press the (C) (bottom left) button on the B5600 to enable BT on the watch.
Hit Scan in nRF and search for "CASIO GW-B5600" and tap it to show the following details:
Code:
Device BT Name: CASIO GW-B5600
Device BT Address: [B]EB:1C:FF:90:C2:34[/B]
Offered services: 0x1801 Generic Attribute
0x1800 Generic Access
0x2A00 (R) Device Name
0x2A01 (R) Appearance
0x1804 Tx Power
0x2A07 (R) Tx Power Level
0x26EB00 0D Unknown Service
(UUID 0x2902 for all)
[B]0x26EB002C (W*) Custom Service #2C[/B]
[B]0x26EB002D (NW) Custom Service #2D[/B]
0x26EB0023 (NW) Custom Service #23
0x26EB0024 (NW*)Custom Service #24
(R) is read only (W) write (W*) write no response (N) notify.
The important information has been set in bold: the BT address that we will use to analyze the packets, and the 2 services that I called #2C and #2D that are used by the official G-Shock app to get and set info from/to the watch.
2 Enable Bluetooth traces on the phone
After that, open the phone Developer options > Enable Bluetooth HCI snoop log.
Or use the USB debugging mode, plug the phone to the computer and type the following command in a prompt:
Code:
adb shell settings put secure bluetooth_hci_log 1
To know where the BT traces will be stored, type the following command:
Code:
adb shell cat /etc/bluetooth/bt_stack.conf
and look at the line starting with 'BtSnoopFileName=' to locate the BT log files.
3 Capture BT activity and save the logs on computer
Install and run the "G-Shock Connected" app on your phone from the Play Store.
Do manipulations between the watch and the app, take note of the time you make them.
Then plug the phone and type:
Code:
adb pull /data/log/bt/btsnoop_hci*.log
Note: the place and name of the logs are for my Huawei Mate 10. You will need to adapt the path with the one you got at step 2.
4 Analyze the BT traces in Wireshark
Open Wireshark and drag and drop one of the "btsnoop_hci*.log" files pulled to the computer onto the program.
Add a filter on the G-Shock BT address we got from nRF Connect at step 1:
Code:
bluetooth.addr==EB:1C:FF:90:C2:34
And hit enter to see the BLE activity on the watch.
Now the fun (or the boring part, it depends ) begins... Understanding the BT requests/answers (get info) and BT commands (set info)!
In Wireshark, the important information for each BT frame are contained in the fields
Bluetooth Attribute Protocol > Handle > UUID
and in Bluetooth Attribute Protocol > Value
The very first -easiest- command I was able to identify is the one to Get and Set the Home City and the 5 World Time (WT) Cities.
When you analyse the BT packets, you can see the name of the cities written in all letters in the Value field:
Code:
0000 1f 01 48 4f ..HO
0010 4e 47 20 4b 4f 4e 47 00 00 00 00 00 00 00 00 00 NG KONG.........
We can observe that to GET the Home City, we send a Write command with the value 1F00 to the service 0x26EB002C (aka Custom Service #2C). In return, we will receive a notification through the service 0x26EB002D (aka Custom Service #2D) containing an echo of the Command ID (1F00) followed by the name of the Home City in upper-case (e.g. "PARIS").
To SET the Home City is just as easy: we send a Write request to the service 0x26EB002D (Custom Service #2D) with the value 1F00 followed by the name of the new Home City on 18 Bytes (e.g. "PARIS"), tailed with 0x00.
GETting and SETting the 5 World Time Cities is very similar: you only need to use the Command IDs 1F01 to 1F05...
The next command I reverse engineered is the one to set the date and time.
I started to search for the hexadecimal value "07 E4" in the traces (2020 in decimal = the current year). The search returned zero result... If finding a WORD (value encoded on 2 bytes) in big endian* fails, you gotta try searching it in little endian* so I did another search for "E4 07" this time, and bingo! It appears in a SET command starting with the ID 0x09.
* search Wikipedia for "Endianness"
The full structure of the binary value is:
Code:
([B]09[/B]) YYYY MM DD HH mm ss ?? ?? 01 ?? ?? is the milliseconds in big endian(?)
[B]Mon.13-JAN (15:54:10) traces[/B]
([B]09[/B]) E4 07 01 0D 0F 36 0B 01 F2 01 --> 2020-01-13 15:54:11 (,498?)
[B]Wed.15-JAN (15:29:27) traces[/B]
([B]09[/B]) E4 07 01 0F 0F 1D 1E 03 44 01 --> 2020-01-15 15:29:30 (,836?)
You can notice there's a difference in the trace timestamp and the time sent, respectively 1 second and 3 seconds. That is quite normal: I disabled the time synchronization in the watch settings, so the watch time can deviate from the atomic time by a few seconds (the user guide states a tolerance of +/- 15s per month average).
Hey, did you ever manage to get any further with this @mougino ? I've also got one of these watches, and have been playing around with the BLE connection to it. I've managed to successfully set the alarm times and on/off state – but so far haven't had any luck with setting the actual time. I tried writing with the op-code you suggested of 0x09, but it doesn't seem to actually do anything for me.
Up its interesting.
Hope somebody can help me. I'm having trouble getting/setting time on my Casio GW-B5600BC-2BJF. I can get and Set most other things like alarms, home city, etc using the #2D command (Characteristic: 26eb002d-b012-49a8-b1f8-394fb2032b0f), but when I try to set the time, it has no effect. The command does not complain, but does not change the time. Should I be using a different characteristic? Here are supported BLE services on my watch:
[CD:85:24:01:62:17][LE]> connect
Attempting to connect to CD:85:24:01:62:17
Connection successful
[CD:85:24:01:62:17][LE]> characteristics
handle: 0x0003, char properties: 0x02, char value handle: 0x0004, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x0005, char properties: 0x02, char value handle: 0x0006, uuid: 00002a01-0000-1000-8000-00805f9b34fb
handle: 0x0008, char properties: 0x02, char value handle: 0x0009, uuid: 00002a07-0000-1000-8000-00805f9b34fb
handle: 0x000b, char properties: 0x04, char value handle: 0x000c, uuid: 26eb002c-b012-49a8-b1f8-394fb2032b0f
handle: 0x000d, char properties: 0x18, char value handle: 0x000e, uuid: 26eb002d-b012-49a8-b1f8-394fb2032b0f
handle: 0x0010, char properties: 0x18, char value handle: 0x0011, uuid: 26eb0023-b012-49a8-b1f8-394fb2032b0f
handle: 0x0013, char properties: 0x14, char value handle: 0x0014, uuid: 26eb0024-b012-49a8-b1f8-394fb2032b0f
[CD:85:24:01:62:17][LE]>
Here is the command I'm sending:
Wrote to characteristic 26eb002d-b012-49a8-b1f8-394fb2032b0f | value: 0x09 E6 07 03 19 0B 29 07 05 4F 01
Thanks in advance.
seanlano said:
Hey, did you ever manage to get any further with this @mougino ? I've also got one of these watches, and have been playing around with the BLE connection to it. I've managed to successfully set the alarm times and on/off state – but so far haven't had any luck with setting the actual time. I tried writing with the op-code you suggested of 0x09, but it doesn't seem to actually do anything for me.
Click to expand...
Click to collapse
Same here. Did you resolve this? See my message above. Thanks.
izivkov said:
Same here. Did you resolve this? See my message above. Thanks.
Click to expand...
Click to collapse
Nah I kind of dropped it, and haven't picked it up again for quite a while. I'd love to get it working though!
seanlano said:
Nah I kind of dropped it, and haven't picked it up again for quite a while. I'd love to get it working though!
Click to expand...
Click to collapse
OK, I will let you know if I figure it out.
Just curious, are you wring an Android app for the watch?
izivkov said:
OK, I will let you know if I figure it out.
Just curious, are you wring an Android app for the watch?
Click to expand...
Click to collapse
I was planning on having something running on a Raspberry Pi Zero W – I can program, but I've never made an Android app. My plan was to do something in Python, ideally having the Pi Zero running somewhere in my bedroom so that the Casio watch can do the time synchronisation at night. If I can get that working I'd also thought about setting some alarms and reminders for the day ahead, like maybe connect it to a calendar and put any important events into the reminders function of the watch, things that the existing Casio app can't do. An Android app would be a better way of doing this, but I figured I'd get it working in Python first since it's faster for me.
Ok, thanks for the info.
I more or less figured out how to set the time. It involves setting the DST for all world locations first. I guess makes sense, since the casio will update the time for all locations. I still don't understand some things so I will need to figure it out first, and I can share if you are interested.
I am working on an open source Android app to integrate the Casio watch with Google services on android, such as calendar and Alarm ckock. It will not replace the official app. I have been working on this app for about a month now, and got the alarms and now the time setting working. I think the callender integration will be the most challenging, since I don't know what the data means to Casio.
Currently the github is private, because it is WIP, but I will make it public when it is ready.
That would be very cool! I'll be happy to do some beta testing if you end up getting to that stage. Good luck!
@seanlano I have the basic app running, except for the reminders. If you like to try it, here is the github:
GitHub - izivkov/CasioGShockSmartSync
Contribute to izivkov/CasioGShockSmartSync development by creating an account on GitHub.
github.com
It is private, so not sure if you can access it, so let me know.
If you don't want to bother building the APK, I have put it on on my Google drive:
Google Drive: Sign-in
Access Google Drive with a Google account (for personal use) or Google Workspace account (for business use).
drive.google.com
I'm curious to see if for you the local time works properly, and the battery level is correct. Where are you located?
Of course, use at your own risk. It might screw up some settings on your watch. In that case, you may have to reset it like this:
Google Drive: Sign-in
Access Google Drive with a Google account (for personal use) or Google Workspace account (for business use).
drive.google.com
Ivo
izivkov said:
I'm curious to see if for you the local time works properly, and the battery level is correct. Where are you located?
Click to expand...
Click to collapse
Hey @izivkov, I tried it out and it seems to mostly work!
The time setting worked correctly (I made sure by manually setting the time to be very wrong, and your app brought it back to the correct time). The home time zone (Sydney) was correct too.
However, the battery level didn't work – the Casio app shows my watch at 100% but your app shows only maybe 20%.
The alarms worked well too, although I found that any time I set the alarms it turns off the hourly signal, and the app doesn't have a way to turn it back on (this isn't a big deal though, since it's only a couple of buttons to press on the watch).
Keep up the good work!
seanlano said:
Hey @izivkov, I tried it out and it seems to mostly work!
The time setting worked correctly (I made sure by manually setting the time to be very wrong, and your app brought it back to the correct time). The home time zone (Sydney) was correct too.
However, the battery level didn't work – the Casio app shows my watch at 100% but your app shows only maybe 20%.
The alarms worked well too, although I found that any time I set the alarms it turns off the hourly signal, and the app doesn't have a way to turn it back on (this isn't a big deal though, since it's only a couple of buttons to press on the watch).
Keep up the good work!
Click to expand...
Click to collapse
Hey, thanks for the feedback.
- I did not notice the hourly signal setting and will fix it. Possibly add a setting to the app to turn it on/off.
- For the battery level, I was not sure I was getting the right value, but for me seemed to be about right. Obviously, should look at other ways to set it.
- I'm working on Calendar events integration with Watch's reminders, and when I finish this and fix these issues you mentioned I will have another version and will let you know.
Cheers
izivkov said:
Hey, thanks for the feedback.
- I did not notice the hourly signal setting and will fix it. Possibly add a setting to the app to turn it on/off.
- For the battery level, I was not sure I was getting the right value, but for me seemed to be about right. Obviously, should look at other ways to set it.
- I'm working on Calendar events integration with Watch's reminders, and when I finish this and fix these issues you mentioned I will have another version and will let you know.
Cheers
Click to expand...
Click to collapse
Hay, thanks for starring my github. I moved the code to another repository: https://github.com/izivkov/CasioGShockPhoneSync, which is now public. Feel free to star the new one. ;-)
Basically, I added Google calendar event support, and fixed the issue with hourly chime getting reset. Still cannot figure out how the battery level is read. I get a value using command 0x28, but the value does not make sense. I get back something like 0x28 0x0f 0x17 0x00 for about 25% charged battery, and 0x28 0x13 0x19 0x00 for almost fully charged one. I think I will disable the battery icon until I can figure what is going on.
Anyway, adding some documentation now. Hope other people can contribute to this project and possibly support more watch models.
I'm a bit stuck. I'm trying to detect the difference between GW-B5600 long-press lower left button and short-press lower-right button as far at connection to the Android device is concerned. The app on the phone should be able to tell the difference, becase the official app acts differntly when the right button is pressed, i.e. sets the current location. This does not happen for left-button connection. But the data sent to the phone from the watch is identical. If somebody has figured this out, please let me know.
For those who are interested in how to communicate with the Casio G-Shock 5600 BT watches, here is the latest github I created:
GitHub - izivkov/CasioGShockSmartSync
Contribute to izivkov/CasioGShockSmartSync development by creating an account on GitHub.
github.com
And you can get the android app on PlayStore:
Casio G-Shock Smart Sync - Apps on Google Play
Add Smart functions to your Casio G-Shock Bluetooth (B5600, B5000, B2100) watch.
play.google.com
Enjoy
I've been working on a very similar app but for a slightly different Casio model. I'm not very familiar with the BLE and getting to a point where I'd happily pay someone for investigating the communication.
Would anyone be willing to figure it out?
drunkenHiker said:
I've been working on a very similar app but for a slightly different Casio model. I'm not very familiar with the BLE and getting to a point where I'd happily pay someone for investigating the communication.
Would anyone be willing to figure it out?
Click to expand...
Click to collapse
Sure, I can take a look. You can contact me by email directly at [email protected], or better still you can post to the github repository:
izivkov/CasioGShockSmartSync · Discussions
Explore the GitHub Discussions forum for izivkov CasioGShockSmartSync. Discuss code, ask questions & collaborate with the developer community.
github.com