User Tools

Site Tools


elec:notes:wt_pulse

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

elec:notes:wt_pulse [2019/12/25 15:40] (current)
Line 1: Line 1:
 +# Withings Pulse
  
 +## Overview
 +
 +It's an activity tracker. I'm curious about this stuff theses days, so I thought I'd dive in and see... And of course, look closer =)
 +
 +## USB
 +
 +The USB port of the device is only here for charging. But plugging it would throw:
 +<​code>​
 +[27701.907508] usb 4-1: new full-speed USB device number 18 using uhci_hcd
 +[27702.023964] usb 4-1: device descriptor read/64, error -71
 +...
 +[27703.414113] usb 4-1: device not accepting address 20, error -71
 +...
 +[27703.934408] hub 4-0:1.0: unable to enumerate USB device on port 1
 +</​code>​
 +So I thought there would be some way to put the Pulse in some kind of real USB Mode:
 +To get there, hold the Pulse button before you plug it in. With some trials, it enumerates as an USB HID device
 +    [27723.342193] hid-generic 0003:​1FB2:​0004.0008:​ hiddev0,​hidraw4:​ USB HID v1.10 Device [ Withings ​  Pulse ] on usb-0000:​00:​1d.1-1/​input0
 +
 +### lsusb output
 +<​code>​
 +
 +Bus 004 Device 017: ID 1fb2:​0004  ​
 +Device Descriptor:
 +  bLength ​               18
 +  bDescriptorType ​        1
 +  bcdUSB ​              1.10
 +  bDeviceClass ​           0 (Defined at Interface level)
 +  bDeviceSubClass ​        ​0 ​
 +  bDeviceProtocol ​        ​0 ​
 +  bMaxPacketSize0 ​       64
 +  idVendor ​          ​0x1fb2 ​
 +  idProduct ​         0x0004 ​
 +  bcdDevice ​           0.02
 +  iManufacturer ​          1 (error)
 +  iProduct ​               2 (error)
 +  iSerial ​                ​0 ​
 +  bNumConfigurations ​     1
 +  Configuration Descriptor:
 +    bLength ​                9
 +    bDescriptorType ​        2
 +    wTotalLength ​          41
 +    bNumInterfaces ​         1
 +    bConfigurationValue ​    1
 +    iConfiguration ​         0 
 +    bmAttributes ​        0xc0
 +      Self Powered
 +    MaxPower ​             100mA
 +    Interface Descriptor:
 +      bLength ​                9
 +      bDescriptorType ​        4
 +      bInterfaceNumber ​       0
 +      bAlternateSetting ​      0
 +      bNumEndpoints ​          2
 +      bInterfaceClass ​        3 Human Interface Device
 +      bInterfaceSubClass ​     0 No Subclass
 +      bInterfaceProtocol ​     0 None
 +      iInterface ​             0 
 +        HID Device Descriptor:
 +          bLength ​                9
 +          bDescriptorType ​       33
 +          bcdHID ​              1.10
 +          bCountryCode ​           0 Not supported
 +          bNumDescriptors ​        1
 +          bDescriptorType ​       34 Report
 +          wDescriptorLength ​     57
 +         ​Report Descriptors: ​
 +           ** UNAVAILABLE **
 +      Endpoint Descriptor:
 +        bLength ​                7
 +        bDescriptorType ​        5
 +        bEndpointAddress ​    ​0x81 ​ EP 1 IN
 +        bmAttributes ​           3
 +          Transfer Type            Interrupt
 +          Synch Type               None
 +          Usage Type               Data
 +        wMaxPacketSize ​    ​0x003a ​ 1x 58 bytes
 +        bInterval ​              1
 +      Endpoint Descriptor:
 +        bLength ​                7
 +        bDescriptorType ​        5
 +        bEndpointAddress ​    ​0x02 ​ EP 2 OUT
 +        bmAttributes ​           3
 +          Transfer Type            Interrupt
 +          Synch Type               None
 +          Usage Type               Data
 +        wMaxPacketSize ​    ​0x003a ​ 1x 58 bytes
 +        bInterval ​              1
 +Device Status: ​    ​0xbd03
 +  Self Powered
 +  Remote Wakeup Enabled
 +</​code>​
 +
 +## Sync
 +### Overview
 +
 +The Android App syncs with the Pulse, and then to the account. It uses some kind of JSON API, with POST requests.
 +
 +The base URL for the synchronization server is `http://​scalews.withings.net/​`.
 +
 +There'​s also a call to `http://​maintws.withings.net/​` for the /​cgi-bin/​maint call.
 +
 +### /​cgi-bin/​once : Once
 +Query
 +    action=get&​appliver=_ANDRO_APPV_&​apppfm=android&​appname=wiscaleNG
 +
 +
 +* `_ANDRO_APPV_` is the Android App version. Current is: `161`
 +
 +Reply:
 +    {"​status":​0,"​body":​{"​once":"​_ONCEVAL_"​}}
 +
 +
 +* `_ONCEVAL_` is a server-generated value that's used to instanciate session (both User and Device)
 +
 +### /​cgi-bin/​session : Session handling
 +It looks like there are different actions handled by this URL.
 +#### User login
 +Query:
 +    action=new&​auth=_ACCOUNT_MAILADDR_&​hash=_ACCOUNT_HASH_ca&​duration=60&​appliver=_ANDRO_APPV_&​apppfm=android&​appname=wiscaleNG
 +
 +
 +* `_ACCOUNT_MAILADDR_` is the Mail address of the account, in plain text
 +* `_ACCOUNT_HASH_` looks like a MD5 hash, but isn't the account password. It's generated with `md5(_ACCOUNT_MAILADDR_:​md5(_ACCOUNT_PASSWORD_):​_ONCEVAL_)` ​
 +  * `_ACCOUNT_PASSWORD_` is the plain-text password of the account
 +
 +
 +Reply: ​
 +    {"​status":​0,"​body":​{"​sessionid":"​_SESSION_ID_","​account":​[{"​id":​_ACCOUNT_ID_,"​debug":​0}]}}
 +
 +
 +* `_SESSION_ID_` is a server-generated ID: `xxxx-xxxxxxxx-xxxxxxxx`
 +* `_ACCOUNT_ID_` must be the real account ID (not sure though...)
 +
 +#### Pulse login
 +Query:
 +    action=new&​auth=_PULSE_MACADDR_&​hash=_PULSE_HASH_&​currentfw=_PULSE_FWV_&​mfgid=_MFGID_&​batterylvl=_PULSE_BATLVL_&​appliver=_ANDRO_APPV_&​apppfm=android&​appname=wiscaleNG
 +
 +
 +* `_PULSE_MACADDR_` is the Bluetooth MAC Address of the Pulse device: `xx:​xx:​xx:​xx:​xx:​xx`
 +* `_PULSE_HASH_` looks like a MD5 hash.
 +  * It's generated with `md5(_PULSE_MACADDR_:​_PULSE_SECRET_:​_ONCEVAL_)`
 +  * `_PULSE_SECRET_` is a 16-chars hexstring: `NNxxxNNNNxNxNNNN`
 +I don't know it's generated, but it can be extracted from the Android log (with logcat, search for `-- withings *` )
 +* `_PULSE_FWV_` is the Firmware version. Current is `971`.
 +* `_MFGID_` is a numeric ID: `XX32XX`.
 +* `_PULSE_BATLVL_` is the battery percentage: `0` to `100`
 +
 +Reply: ​
 +    {"​status":​0,"​body":​{"​sessionid":"​_PULSE_SESSID","​sp":​{"​users":​[]},"​ind":​{"​lg":"​fr_FR","​imt":​1,"​stp":"​1","​f":​0,"​g":​98071},"​syp":​{"​utc":​_DATEA_},"​ctp":​{"​goff":​3600,"​dst":​_DATEB_,"​ngoff":​7200}}}
 +
 +* `_PULSE_SESSID_` is a server-generated ID: `xxxx-xxxxxxxx-xxxxxxxx`
 +* `_DATEA_` is a Unix timestamp. Ex: `1391328539`
 +* `_DATEB_` is a Unix timestamp. Ex: `1396141200`
 +
 +#### Session destroy
 +Query:
 +    action=delete&​sessionid=_SESSION_ID_`&​appliver=`_ANDRO_APPV_`&​apppfm=android&​appname=wiscaleNG
 +
 +
 +* `_SESSION_ID_` is the server-generated ID of the session to be destroyed: `xxxx-xxxxxxxx-xxxxxxxx`
 +
 +Reply: ​
 +    {"​status":​0}
 +
 +
 +### Not detailed yet
 +    /​cgi-bin/​account
 +
 +    /​cgi-bin/​association
 +
 +    /​cgi-bin/​device
 +
 +    /​cgi-bin/​measure
 +
 +    /​cgi-bin/​bodymedia
 +
 +    /​cgi-bin/​zeo
 +
 +    /​cgi-bin/​push
 +
 +    /​cgi-bin/​runkeeper
 +
 +    /​cgi-bin/​v2/​link
 +
 +    /​cgi-bin/​v2/​measure
 +
 +    /​cgi-bin/​v2/​activity
 +
 +    /​cgi-bin/​v2/​firmware \\
 +    firmware?​action=getupdate&​sessionid=_SESSION_ID_&​currentfw=1&​appliver=_ANDRO_APPV_&​apppfm=android&​appname=wiscaleNG
 +    {"​status":​0,"​body":​{"​url":"​http:​\/​\/​fw.withings.net\/​wam01_971.bin"​}}
 +
 +    /​cgi-bin/​user
 +
 +    /​cgi-bin/​maint
 +
 +## Random notes
 +
 +The Pulse has an OLED screen, a USB port, an onboard button and, of course, bluetooth
 +
 +* Freescale Kinetis MK20DX256 - FCC photo is bad quality...K23ZJ2SD74
 +* USB Mode, CDC Shell
 +* Serial Debug
 +* Hack firmware
 +* AC20B co-processor maybe
 +* SPI flash
 +* I2C bus
 +* DbLib
 +* 1234
 +* DHD_RTOS
 +* ADXL 202/345
 +* CC2564
 +*
 +
 +http://​www.droid-developers.org/​wiki/​Disassembling
 +
 +## Links
 +
 +* [[http://​blog.bulte.net/​12-28-2013/​hacking-withings-smart-baby-monitor.html|Hacking the Withings Smart Baby Monitor]]
 +* [[http://​poppopret.org/​2013/​06/​10/​summercon-2013-hacking-the-withings-ws-30/​|Summercon 2013 - Hacking the Withings WS30]]
 +* [[https://​www.youtube.com/​watch?​v=ZHDw4om6Wz4|Summercon 2013 - Hacking the WS30 - Youtube]]
 +* [[http://​www.prolixium.com/​mynews?​id=915|Hacking the WS30 - Local server]]
 +
 +### Angel
 +
 +* [[http://​www.indiegogo.com/​projects/​angel-the-first-open-sensor-for-health-and-fitness|Indiego Angel]]
 +* [[http://​www.angelsensor.com/​|Angel]]
/home/share/www/redox.ws/wiki/data/pages/elec/notes/wt_pulse.txt · Last modified: 2019/12/25 15:40 (external edit)