Hacking Polar Loop - Part 2

USB Communication

Please read first post first.
Code can be found on GitHub.

Polar Loop is recognized as USB HID device. As it was described in previous post, it is using only one report:
  • Report Type: Output
  • Report ID: 1
  • Report Length: 64
It is a request-response communication. Each response is raw byte array of length 64 (similar to input report). Communication is not encrypted.

Still, communication looks like binary data with some human-readable strings. Most of them seems to be paths:
  • /
  • /DEVICE.BPB
  • /U/UDB.BPB
  • etc.
This information was enough to guess that Polar Loop is storing information in serialized way.
BPB...PB...Protocol Buffers...Google Protocol Buffers :)

Google Protocol Buffers (PB)

"Protocol buffers are a language-neutral, platform-neutral extensible mechanism for serializing structured data."

Unfortunately, serialized data is not self-describing. Endpoints, however, have to know, how to serialize/deserialize data. PB compiler is used to generate language specific code from plain proto files. Code generated by PB compiler includes compiled proto file.

Thesis: If Polar is using PB, it has to have compiled PB code included in applications.

After few tries, I knew how it should look. Each compiled proto file string must have '.proto' substring. Not to much to search.

First, I checked Polar FlowSync - fail. Hooking network traffic confirmed, that Polar Flow is just passing data retrieved via USB to remote location. It means, PB code is included in server applications.

Second try - Android application - Polar Flow. Success! I found more than 50 compiled proto files descriptors.

Pbd

Pbd is a Python module to disassemble serialized protocol buffers descriptors. It was created specially for this project. Right now it is more popular than Loophole ;)

You can find code on GitHub.

At this point I had plain proto files!
3 komentarze:

Hacking Polar Loop - Part 1

This is a first post from a series about hacking Polar Loop activity tracker.

Code can be found on GitHub.




Introduction

Polar Loop is an activity tracker from Polar Electro. Basically it is a wrist band, that monitors your activity (movement). Since I bought one, I was curius how it works.

After few months of usage, I decide it is a time to hack it. So, let's go.

Gathering info

Polar enviroment contains:
  1. Device (Polar Loop)
  2. Polar Web application (Polar Flow)
  3. Windows sync application (Polar FlowSync)
  4. Mobile application

Device

Polar Loop is using BLE (Bluetooth Low Energy; Bluetooth Smart). It means, it had to be certified by FCC (Federal Communications Commission). It means, set of documents is publicly available.
I used great FCC documents search engine: https://fcc.io/.
FCC ID for Polar Loop is INW0C.

The most interesting one is Internal Photos.
Now I knew what is inside:

  • STM32L151QCH6 - Ultra-low power ARM Cortex-M3 MCU, 256 Kb Flash, 32MHz CPU, USB 
  • CC2541 - SimpleLink Bluetooth Smart and Proprietary Wireless MCU
  • AS1130 - LED Driver IC
  • 25PX16VG - Serial Flash memory
  • Y434 NS01 - ??? (let me know in comments if you know what is it)

Attack vector

There are three ways how to access device:
  1. Button - highly inlikely to hack it via single button (tried anyway ;p)
  2. Bluetooth Smart - skipped.
  3. USB - Winner!
I focused on USB. Polar Loop is recognized as USB HID device. Obviously, it is the best place to start.

USB communication

Quick USB HID class intro. USB HID drivers are included in most modern OS. 
Device describes how it will communicate. Communication is realized using Reports. Device can handle more than one report.
Polar Loop is using only one report:
  • Report Type: Output
  • Report ID: 1
  • Report Length: 64
It means, device is accepting raw byte array of size 64.
Initial investigation was done using USBlyzer and Wireshark.


More soon...

Brak komentarzy:
Subskrybuj: Posty (Atom)