Hacking CHEMION LED Glasses

This document describes the CHEMION Bluetooth LED Glasses from a hacker's perspective, mostly focusing on Bluetooth packets for interoperability purposes. All information here is as a result of experimentation and reverse engineering.

Hardware

The glasses have 9 rows of 24 LEDs.

The processor used on the glasses is likely a Nordic nRF51 series SoC which contains a 32-bit ARM Cortex-M0 core. This was identified by the fact that the app supports updating the firmware via Bluetooth, and contains Nordic's DFU library.

Firmware

The APK file for the app contains four sets of firmware for the device, Intel HEX format:

• WaGL_C2_0.1.13_20150403.hex
• WaGL_nRF_C2_1.0.0_20150406.hex
• WaGL_nRF_C2_1.0.1_20150904.hex
• WaGL_nRF_C2_1.0.1_20150915.hex

These can be converted to a binary format via a tool such as hex2bin and then analysed with IDA. When loading the binary file into IDA, I set the ROM base and load address to 0x14000 and the processor to ARM (Little-Endian). I also set the base architecture to ARMv6-M and the instruction type to Thumb-2, to match with Cortex-M0.

This results in a sensible analysis with the interrupt vector table at the start and initial EIP set to ROM:140C0.

ROM:00014000                 DCD 0x20003FD8
ROM:00014004                 DCD 0x141DD
ROM:00014008                 DCD 0x141EF
ROM:0001400C                 DCD 0x141F1
ROM:00014010                 DCD 0
ROM:00014014                 DCD 0
ROM:00014018                 DCD 0
ROM:0001401C                 DCD 0
ROM:00014020                 DCD 0
ROM:00014024                 DCD 0
ROM:00014028                 DCD 0
ROM:0001402C                 DCD 0x141F3
ROM:00014030                 DCD 0
ROM:00014034                 DCD 0
ROM:00014038                 DCD 0x141F5
ROM:0001403C                 DCD 0x141F7
ROM:00014040                 DCD 0x141F9
ROM:00014044                 DCD 0x141F9
ROM:00014048                 DCD 0x199C9
ROM:0001404C                 DCD 0x141F9
ROM:00014050                 DCD 0x141F9
ROM:00014054                 DCD 0
ROM:00014058                 DCD 0x193B1
ROM:0001405C                 DCD 0x15057
ROM:00014060                 DCD 0x141F9
ROM:00014064                 DCD 0x141F9
ROM:00014068                 DCD 0x141F9
ROM:0001406C                 DCD 0x141F9
ROM:00014070                 DCD 0x141F9
ROM:00014074                 DCD 0x141F9
ROM:00014078                 DCD 0x141F9
ROM:0001407C                 DCD 0x141F9
ROM:00014080                 DCD 0x141F9
ROM:00014084                 DCD 0x18B1D
ROM:00014088                 DCD 0x141F9
ROM:0001408C                 DCD 0x141F9
ROM:00014090                 DCD 0x18B3F
ROM:00014094                 DCD 0x141F9
ROM:00014098                 DCD 0x192AD
ROM:0001409C                 DCD 0x141F9
ROM:000140A0                 DCD 0x141F9
ROM:000140A4                 DCD 0x141F9
ROM:000140A8                 DCD 0
ROM:000140AC                 DCD 0
ROM:000140B0                 DCD 0
ROM:000140B4                 DCD 0
ROM:000140B8                 DCD 0
ROM:000140BC                 DCD 0
ROM:000140C0 ; ---------------------------------------------------------------------------
ROM:000140C0                 CODE16
ROM:000140C0
ROM:000140C0 loc_140C0                               ; CODE XREF: ROM:000141ECj
ROM:000140C0                                         ; DATA XREF: ROM:000141EAo ...
ROM:000140C0                 BL      EntryPoint
ROM:000140C4 ; ---------------------------------------------------------------------------
ROM:000140C4                 CODE32
ROM:000140C4                 BL      loc_14146
ROM:000140C8 ; ---------------------------------------------------------------------------
ROM:000140C8                 CODE16
ROM:000140C8
ROM:000140C8 EntryPoint                              ; CODE XREF: ROM:loc_140C0j
ROM:000140C8                 ADR     R0, loc_140FC
ROM:000140CA                 LDMIA   R0!, {R4,R5}
ROM:000140CC                 SUBS    R0, #8
ROM:000140CE                 ADDS    R4, R4, R0
ROM:000140D0                 ADDS    R5, R5, R0
ROM:000140D2                 MOV     R10, R4
ROM:000140D4                 SUBS    R7, R4, #1
ROM:000140D6                 MOV     R11, R5
ROM:000140D8                 MOV     R4, R10
ROM:000140DA                 MOV     R5, R11
ROM:000140DC                 CMP     R4, R5
ROM:000140DE                 BNE     loc_140E4
ROM:000140E0                 BL      loc_14146
ROM:000140E4 ; ---------------------------------------------------------------------------

Frame format

The code specifies that the LED state array length is 216 elements (9 × 24), and that the frame size (for Bluetooth packets) is 54 bytes. By calculating (9 × 24) ÷ (54 × 8) = 2 we can guess that the frame format is 2 bits per pixel. At the moment I am unsure which bits are in use, and what the different states mean. This will be explored further at a later date.

Command Types

The following command types have been found:

• REQUEST(b, 0x01)
• REPLY (c, 0x02)
• STREAM (d, 0x03)
• NOTIFY (e, 0x04)
• ERROR (f, 0x05)
• IDENTIFY (g, 0x06)

The letters shown are used as enumeration identifiers in the Java bytecode. The numbers are the literal values (bytes).

Message Types

These values are thought to be used with various commands above, or may be replies from various commands/events.

• STATUS (0x01)
• POWER_OFF (0x02)
• BATTERY_LEVEL (0x03)
• FRAME_DATA_TRANSMISSION_END (0x04)
• FRAME_DATA_TRANSMISSION (0x05)
• GET_DEVICE_IDENTIFIER (0x06)
• FIRMWARE_VERSION (0x07)
• HEARTBEAT (0x08)
• SET_DEVICE_IDENTIFIER (0x09)
• FRAMES_DATA_TRANSMISSION_START (0x0A)
• FRAMES_DATA_TRANSMISSION_END (0x0B)
• FRAMES_DATA_TRANSMISSION (0x0C)
• FRAMES_DATA_RECEIVING_FROM_SLOT_START (0x0D)
• PLAY_FRAMESDATA_ON_SLOT (0x0E)
• DELETE_SLOT_DATA (0x0F)
• FREE_SLOT_SPACE (0x10)
• START_DFU (0x11)
• UNKNOWN_MODULE_ID (0x12)

Device slots

The glasses have a number of "device slots" to which data can be saved. Data is in the format of an array of frames, each frame describing the LED state.