The Wireless Protocol of a Sports Wrist Watch (Part 2)

This post is a continuation of the The Wireless Protocol of a Sports Wrist Watch, and it is all about testing the hypothesis made so far.

axodus, K.C. Lee, killy.mxi (AKA Killy) and Asterek have all contributed to reverse engineer the radio protocol, and Killy came up with the following algorithm:

Encoded sequence has variable lenght. There are some stuffed bits for better signal recovery.

Output sequence:
* in1
* in2
* (in1 nor in2) stuffed if (in1 nand in2)
* in3
* in4
* (in3 nor in4) stuffed if (in3 nand in4)
* in5
* in6
* (in5 nor in6) stuffed if (in5 nand in6)
* in7
* in8
* (in7 xnor in8)
* (in7 nand in8)

Speaking simple, stuffing rule works like this:
* if pair of bits is 00, stuff 1;
* if 01 or 10, then stuff 0;
* if 11, don’t stuff anything here.

More details can be found in the Discussions section of https://hackaday.io/project/13142-sniff-the-wireless-data-of-a-sports-wrist-watch

I want to thank you all for reverse engineering the encoding scheme, great job!

 

A computer controlled radio Tx


Now, it’s time to test the hypothesis.

To do this, it would be helpful to be able to transmit any code, valid or invalid, and see how the receiver will react. The Crivit chest belt can’t do that, so we need to build our own radio transmitter. With a carrier frequency of only 110 KHz, it should be easy to digitally synthesize the entire modulated carrier.

A few lines of code later, it proves out that a simple wire connected to a digital output is good enough as a Tx antenna, and an Arduino UNO is fast enough to generate the carrier, modulate it, and in the same time talk to a computer over the serial port:

This will allow us to put on air any combination of 0’s and 1’s that we might want to test.

 

New findings


  • for an invalid code, the wristwatch will keep displaying the last valid number received, but the heart symbol will stop blinking, just like in the case of no signal
  • there is no handshake protocol, so the watch will display any valid code received, even if the chest belt ID is changed. All the following codes were displayed as one hundred:
    S 111100 0101000100011
    S 111010 0101000100011
    S 111001 0101000100011
    S 110011 0101000100011
    
  • the total number of bits can vary, i.e. the following codes are both displayed as a valid one hundred:
     S 110011 0101000100011
    S 1100100 0101000100011
    
  • so far, the encoding scheme found by @killy.mxi can predict valid codes even for numbers that were out of reach for the original chest belt transmitter. The following codes predicted for numbers between 234..239 were displayed as valid:
    1110010010010
    1110010011100
    1110011001100
    1110011010100
    1110011100100
    1110011111000
    

    Still, for predicted codes corresponding to numbers greater than 239, the blinking heart stops. This might be because the receiver was designed to act like that, but this it’s not yet for sure.

Manually typing each code to be tested proves to be useful, but also very time consuming and prone to errors. Since our radio Tx is now able to transmit any codes coming from the serial port, it will allow us to do automated testing. This will be the next step.




 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s