Hacking Polar Loop - Part 2

USB Communication

Please read first post first.
Code can be found on GitHub.

Polar Loop is recognized as USB HID device. As it was described in previous post, it is using only one report:
  • Report Type: Output
  • Report ID: 1
  • Report Length: 64
It is a request-response communication. Each response is raw byte array of length 64 (similar to input report). Communication is not encrypted.

Still, communication looks like binary data with some human-readable strings. Most of them seems to be paths:
  • /
  • /U/UDB.BPB
  • etc.
This information was enough to guess that Polar Loop is storing information in serialized way.
BPB...PB...Protocol Buffers...Google Protocol Buffers :)

Google Protocol Buffers (PB)

"Protocol buffers are a language-neutral, platform-neutral extensible mechanism for serializing structured data."

Unfortunately, serialized data is not self-describing. Endpoints, however, have to know, how to serialize/deserialize data. PB compiler is used to generate language specific code from plain proto files. Code generated by PB compiler includes compiled proto file.

Thesis: If Polar is using PB, it has to have compiled PB code included in applications.

After few tries, I knew how it should look. Each compiled proto file string must have '.proto' substring. Not to much to search.

First, I checked Polar FlowSync - fail. Hooking network traffic confirmed, that Polar Flow is just passing data retrieved via USB to remote location. It means, PB code is included in server applications.

Second try - Android application - Polar Flow. Success! I found more than 50 compiled proto files descriptors.


Pbd is a Python module to disassemble serialized protocol buffers descriptors. It was created specially for this project. Right now it is more popular than Loophole ;)

You can find code on GitHub.

At this point I had plain proto files!

Brak komentarzy:

Prześlij komentarz