Related
Hello,
I am new to the forum and also the owner of an HTC Fuze. I have been playing around recently with the GPS on the phone and got me thinking. I live in NY and we have a CORS network of gps base stations that are fed by the use of ntrip.
I was wondering if their was any way to use the gps signal on my phone and the connection to this CORS network to give me sub inch accuracy on my phone...then not sure what I would do with it then. But I do live on a farm and I would like to see some type of precision agricultural use.
I guess I need a way to have the GPS on the phone talk with the GNSS internet radio and then give me spot on guidance and such.
Please let me know your thoughts or if I need to explain better.
Thanks,
Clayton
bump
bump. Any ideas? Anyone
Great idea cwrisrey !
That will save the cost of a geodetic device, which is many times the cost of a Fuze. Further, it will lead the accuracy of the buildin GPS into millimum class.
Not dig into this further, would you go further to tell these:
Is that CORS data encrypted?
Is that accessible through public internet or VPN?
Is there copy right or intellectuall property right issue involved? (I don't think so, but better make it clear first)
Once again, great idea. Please do remember to update this thread once you got any progress. Thanks.
More info
Hello wg5566,
This site would probably answer alot of your questions clearer than I could:
http://www6.nysdot.gov/spiderweb/frmIndex.aspx
* Is that CORS data encrypted?
-I don't believe so, I think that it is just a form of compression, to distribute across the internet.
* Is that accessible through public internet or VPN?
Yes, the NYS CORS anyway. It accessible from the public internet (although they require you to register with them) But I believe there are other free streams. I also believe it was modeled after being able to be sent threw GPRS.
* Is there copy right or intellectuall property right issue involved? (I don't think so, but better make it clear first)
-I believe the ntrip is based on a GNU, I think the source code is available. http://igs.bkg.bund.de/index_ntrip_down.htm
Windows CE version:
http://www.ilmb.gov.bc.ca/crgb/gsr/downloads/installGNSS.CAB
Please, let me know your thoughts...
Thanks,
Clayton
My fast thoughts:
First make sure there is no satisfied freeware currently available for WM.
If so please ask a moderator to move this to the development & hackings section. And Add tyis sentence on the title: Call for developers for revolutionary GPS app!
I'm sure somebody here can develop this. You know the geodetic device was invented many years ago with very weak profiles comparing to current WM devices. The hardware on our phone should be capable to deal with these calculations, and the WM Pro platform should be capable to support such an app. Anyway it should not be a biggy for many masters here. But it is a biggy for gps users with high accuracy demand for any reason.
Edit: Did you try install that wince cab on your phone? I think some of WINCE apps can just run on WM. Please backup your data first.
Edit2: I tried to install it on my device, at first it did not show up in start menu, then I found the cab just put files and shortcut in the folder names in French. But there is no registry involved in the cab. Only three files. And then program UI itself is in English. Just run the executable from the folder will go right out of the box. So please try it. I did not try to connect & loggin yet, due to not registered account.
Edit3: Looks like the cab is only access the data from internet, convert the data format and export the data, but we still need a geodetic/gps software to process/use the data.
Disclaimer: I attatched these three files for the only purppose of exchanging software developement infomation. Anybody if download it please do not use it for any purppose other than this. Thanx.
Some thoughts on the subject
Hi All,
The idea of using NTRIP to make a Windows Mobile GPS device sub-meter accurate crossed my mind. After some research I found this thread.
Unfortunately, I haven't been able to find any software capable of doing this. My idea is that it should be possible to accomplish this goal, using a combination of existing tools (which would be really cool!).
As wg5566 notes, there is a (WM) tool called GNSS Internet Radio, which is capable of downloading NTRIP corrections. It turns out this software works, but does have some flaws. Someone wrote another open source tool which is better (?), but unfortunately it isn't built for Windows Mobile (see: http://lefebure.com/software/).
More searching revealed a (dead?) project on codeplex: SharpGPS. It's an unfinished demo. It does however seem to be designed to do exactly what we're suggesting in this thread.
My idea: Completing the WM version of SharpGPS with parts of GNSS Internet radio / lefebure NTRIP client should result in a tool that's capable of upgrading a WM devices' gps signal to sub-meter accuracy through RTK/DGPS corrections over NTRIP.
Any ideas / suggestions about this?
It's already been done for the commercial market
Land surveyors, construction companies, and farmers use RTK GPS and RTK GNSS correction services on a regular basis. Some are free and some are paid subscription. They can be either NTRIP protocol with casters or individual TCP or UDP connections. Examples of software available are Carlson SurvCE and MicroSurvey. Read Carlson's support site for how they deal with the data flow using such networks on SurvCE (Windows Mobile and CE).
I have worked in land surveying using such equipment, and it generally requires dual frequency receivers, RTK corrections, and high quality antennas to achieve 1-2cm 95% CI horizontal precision. The current GPS chips in cell phones are only single frequency and so the best you could expect under ideal conditions is 2'-3' precision using some form of differential correction like WAAS or beacon or DGPS via NTRIP. Under average conditions, the precision will likely be in the 10-20' range. The dual frequency receivers take care of the large errors caused by radio waves traveling through the ionosphere.
Due to the limitations of batteries, antennas, and space for more chips in cellphones, the future of location accuracy will likely include some combination of GPS/GLONASS and cellular radio signal frequency timing calculations from cell towers. True Position, with its U-TDOA technology, is one example of measuring the time differences of cell phone radio waves using cell towers with known coordinates. Rumors (from surveying journals) have it that there are current patents in place that can allow for sub foot precision using such methods when sufficient cell towers are present for multilateration.
Has anyone found success on this topic? WM or Android...
Would be very interested, since there is a free NTRIP feed available in Switzerland... anyone?
*bump* it up
Been there still trying. Problem is no carrier phase off internal gps.
Grimli said:
Hi All,
The idea of using NTRIP to make a Windows Mobile GPS device sub-meter accurate crossed my mind. After some research I found this thread.
As wg5566 notes, there is a (WM) tool called GNSS Internet Radio, which is capable of downloading NTRIP corrections. It turns out this software works, but does have some flaws. Someone wrote another open source tool which is better (?), but unfortunately it isn't built for Windows Mobile (see: /lefebure.com/software/).
Click to expand...
Click to collapse
Lance lefebure is a really cool guy I'm sure he wouldn't have any problem building a wm version but it is going to takea lot more than that to get rtk to a cell phone.
Very good ,thanks.
Ed hardy bikini said:
Very good ,thanks.
Click to expand...
Click to collapse
If you are confused just ask questions and I will do my best to answer them. I am in the ag industry and deal with RTK networks and different ways of connecting them and tons of different gps units on a daily basis.
Look at this:
http://stakemill.wordpress.com/2010/07/19/ashtech-mobile-mapper-100-supports-esri-arcpad-10-0/
and this:
http://www.ashtech.com/-2359.kjsp?RH=1272644205746&RF=1270806507068
Is that still a phone !?
wg5566 said:
Look at this:
Is that still a phone !?
Click to expand...
Click to collapse
Nope PDA with support for external GPS with a builtin reciever that even sees glonass satellites (russian constelation). That was made specifically to do RTK mapping. It does have a GSM radio for data to connect to the cors.
Phone positioning using CORS
To perform a CORS (Network Reference correction we need a GGA stream from the GPS in your device. This allows us to remove the anomalies and provde the correction stream. As phones use a sirf II chip or similar they do not have input capability to output the NMEA stream to achieve this.
This one works great! it will connect to an Rtk receiver and get the nmea string from it or will use the internal GPS to be able to register on the CORS network. It will then stream the corrections over Bluetooth to a receiver or even a repeater radio. It won't however correct the internal GPS. http://antrip.dyndns.biz/Home/DownloadTrial
Hi there,
This software is an Antitheft and you can use it to track your device when it was lost or stolen. It works catching a formated SMS/EMail sent from any phone/computer and then receiving useful informations back.
You can use it to others objectives, like keep your eye in your child. Use your imagination!
You can set up to four emergengy contacts to receive SMS if the thief change your SIM card and you still can track your device.
The RemoteTracker for Android is an evolution from an old project for Windows Mobile 6 (If you want to see the entire history, please click here).
I'm justing starting this project. There are much more to come.
To send a command to RemoteTracker, send a SMS with the syntax: RT#(command)#(phone or e-mail)#(password). Example: RT#EGP#[email protected]#1234. This version answer the commands below:
help - send to you a list of commands available in Android platform;
ehelp - same as 'HELP', but send the list by e-mail;
fhelp - same as 'HELP', but send the list to your FTP server;
gp - try to get GPS coordinates and send back to cel number passed as parameter;
egp - same as 'GP', but send the list by e-mail;
fgp - same as 'GP', but send a file to your FTP server;
gi - Send informations about your phone: IMSI, IMEI and ICCID;
egi - Same as 'GI' but the answer goes by e-mail;
fgi - Same as 'GI' but the answer goes to your FTP server;
cb - your phone will make a Call Back to you. Just make a call and let the microphone open;
cellid - Retrieve informations (CELLID, LAC, MNC and MCC codes) about the tower your phone are connected. Send to you by SMS;
ecellid - same as 'CELLID', but the answer goes by e-mail;
fcellid - same as 'CELLID', but the answer goes to your FTP server;
secret - if you forget your password you can use this command to receive by SMS your personal secret question;
lostpass - used to receive your password if you forgot it. You must send the answer for your secret question, so, you can use the secret command to help you;
Commands available only in PRO version:
PICSON - Makes RemoteTracker (only PRO version) watch for new photos and send them to Default EMail Address;
PICSOFF - Makes RemoteTracker (only PRO version) stop to watch for new photos;
EPICSON - Same as PICSON, but send an E-Mail back;
EPICSOFF - Same as PICSOFF, but send an E-Mail back;
FPICSON - Same as PICSON, but send the answer to FTP server;
FPICSOFF - Same as PICSOFF, but send the answer to FTP server;
PCALLSON - Makes RemoteTracker (only PRO version) takes a photo on a call is receive or made and send it to Default EMail Address;
PCALLSOFF - Makes RemoteTracker (only PRO version) stop to take photos on calls;
EPCALLSON - Same as PCALLSON, but send an E-Mail back;
EPCALLSOFF - Same as PCALLSOFF, but send an E-Mail back;
FPCALLSON - Same as PCALLSON, but send the answer to FTP server;
FPCALLSOFF - Same as PCALLSOFF, but send the answer to FTP server;
WIPEDATA - This command will return your device to factory default and format your SD Card.
There are another features inside RemoteTracker, like:
- SIM CARD change observer;
- Automatically restore your preferences if you reinstall it. This feature is particular useful if you have a custom ROM with RemoteTracker inside. Once configured, everytime your devices boots up, your preferences will be restored;
- Works as Device Admin, so it can't be uninstalled if you don't know the password;
- And more...
This project can be multi-language. In this version there is only English (sorry about it, my english is very bad because this is not my mother language). If you want to make your own translate, I can tell how. Very simple.
If you decide to try RemoteTracker, I would like to read reviews, comments and suggestions. Remember this is a beta version and may contain bugs. Use at your own risk and with caution.
--> It is a work in progress. In future versions I will make a lot more.
Support this project
You can support this project making a donation clicking here or clicking the banners in the project website: http://remotetracker.sourceforge.net
All the best,
Joubert Vasconcelos
Hello friends!
To test RemoteTracker please download it from here:
http://remotetracker.sourceforge.net/RemoteTracker.apk
Before your tests, please turn on the Debug option. It will make RemoteTracker write the remotetracker.txt file in the root of your memory card.
All the best,
Joubert
I just released the second beta!!!
Now, RemoteTracker can automatically turn on the Mobile and WiFi network to try get location and send EMails!
For older phones RemoteTracker also will automatically turn on the GPS! Unfortunately this is impossible if you are using new Android versions (2.3.x or so).
A few minor bugs was fixed.
All the best,
Joubert
joubertvasc said:
For older phones RemoteTracker also will automatically turn on the GPS! Unfortunately this is impossible if you are using new Android versions (2.3.x or so).
Click to expand...
Click to collapse
GPS can be enabled in 2.3+ - but only if device is rooted. That's what it says in the Cerberus entry in "AppStore" [edit: AndroidMarket].
Hi!
Yes, if you have a rooted device is very easy to enable GPS remotely. But I do not recommend in any way for users to root the phones for security reasons.
I think you are talking about Market, not AppStore We are talking about Android not Apple
All the best,
Joubert
New beta 0.3!!!
Hello again,
I just released version 0.3. Now we got FTP answers back!
In Configurations I added a session to input your FTP server details. The example commands GI and GP now works with FGI and FGP as well.
Once again minor bugs was fixed. If you want to try please download the APK here: http://remotetracker.sourceforge.net/RemoteTracker.apk
As soon as possible I'll make a TODO list and a Road Map.
All the best,
Joubert
Copying my post form the old thread so I can subscribe to this one:
Wow, nice to see this make it to Android.
Some suggestions,
1: Name it something that isn't obvious in the market. Don't want a thief easily finding it in the installed apps list. Going to the market and then buying "my apps" shows you exactly what's installed. So you should name it something totally different that nobody would suspect or want to remove. Like "memory maximizer" or something like that. Probably want to keep it in the middle of the alphabet so it's not at the top or bottom of the list.
2: Maybe make a way to remotely monitor the front/rear camera. Then you could get the thief on video (and also see if it's a crowd, or some huge guy you don't want to mess with, lol).
I'll try to help test when I get another phone and more time. Right now I don't have a lot of time to work out bugs. And more importantly I only have the 1 phone, and I can't afford to have it malfunctioning (I need it for work). I'll buy a used extra phone for testing and then I'll help test.
Thank's!
Be sure I'm worry about the Name I'll post on Market. Not now. I'm trying to make it working and I'll see what I can do later.
About cameras, yes, I think we can control them. At least take pictures and send to an e-mail account. To remotely monitor the cameras, may be I need a server to receive/transmit stream. Of course this is in my todo list
All the best,
Joubert
joubertvasc said:
Thank's!
Be sure I'm worry about the Name I'll post on Market. Not now. I'm trying to make it working and I'll see what I can do later.
About cameras, yes, I think we can control them. At least take pictures and send to an e-mail account. To remotely monitor the cameras, may be I need a server to receive/transmit stream. Of course this is in my todo list
All the best,
Joubert
Click to expand...
Click to collapse
I would rather set up my own server (or even directly stream peer to peer from the device). That way you don't get stuck with hosting fees and the app doesn't die if you decide to stop supporting it someday (not that you would).
There are many possibilities. I'll try all of them.
All the best
Joubert
Another beta
Hi all,
I release another beta. Once again, if you decide to try it, please download from http://remotetracker.sourceforge.net/RemoteTracker.apk.
I edited the first post to add new features. And I have a notice...
I created a free and pro versions. The free version will have the most common commands we had in Windows Mobile. Only specific commands for Windows Mobile I can't write for Android. Pro version will have new features to come (I don't know yet).
But I don't want to charge my friends, so, if you are a beta tester or help me with anything, I'll give the PRO version for free. But it's for future now I'm engaged to finish RemoteTracker free as best as I can do.
All the best,
Joubert
Possible Bugs
Hi Joubert,
Thank you for have been developing so useful application. I believe everyone here is excited about what you are doing.
I tried your better version and here what I have to say:
1) You stated that the command format is RT#EGP#[email protected]#1234, but what if I want to use command to upload that info to FTP? Then,theoretically, I don't need to indicate my email or phone in the command. At the same time commands like "RT#FGP#1234{this is a password}", "RT#FGP##1234{this is a password}" are not recognized as valid RT commands or even failed with fatal exception. How can I upload this info to FTP, what should be the format of the command in this case?Indicating an email inside the command or phone number when sending to FTP seems a kind of redundancy.
2) Once an Fatal error appeared, it started appearing for each further VALID command which were working before. Error states the following:
Fatal error: Call to a member function query() on non-object in /celerra/webstor/root.dev/usr/sms core.php on line 234, most likely there it has some null reference there.
3) In the log file I see that its trying to send messages to invalid address substituting "@" at "?". Does it mean it sends to correct address but it writes to the logs incorrectly or is it really a bug? Because I don't receive any emails at all.For example, when sending RT#EGI#[email protected]#De41Be02AF in the logs I see that it mentioned it sent the message to "test?test.ru" instead of "[email protected]"
This is it for now. I can try to help you out with programming. I have no experience in Android development but have been developing in C# for 7+ years.
Again thanks for you effort.
ser-j said:
Hi Joubert,
Thank you for have been developing so useful application. I believe everyone here is excited about what you are doing.
Click to expand...
Click to collapse
I'm stuck right now. I can not go ahead because I'm not finding some answers. But soon I return to search. Very good to know there are people wainting my work to be done, because there are lots of good programs in Google Market (now Google Play).
ser-j said:
I tried your better version and here what I have to say:
1) You stated that the command format is RT#EGP#[email protected]#1234, but what if I want to use command to upload that info to FTP? Then,theoretically, I don't need to indicate my email or phone in the command. At the same time commands like "RT#FGP#1234{this is a password}", "RT#FGP##1234{this is a password}" are not recognized as valid RT commands or even failed with fatal exception. How can I upload this info to FTP, what should be the format of the command in this case?Indicating an email inside the command or phone number when sending to FTP seems a kind of redundancy.
Click to expand...
Click to collapse
You should use: rt#fgp##1234 The double # are still necessary. I'm working on a simpler syntax to be used in final version.
I'm worried about fatal errors. That's why I released beta versions. Please use Configurations Menu and check the Debug Options. After that you will see in the root of your memory card a file named remotetracker.txt. Send that file to me please.
ser-j said:
2) Once an Fatal error appeared, it started appearing for each further VALID command which were working before. Error states the following:
Fatal error: Call to a member function query() on non-object in /celerra/webstor/root.dev/usr/sms core.php on line 234, most likely there it has some null reference there.
Click to expand...
Click to collapse
I really don't know what is this. Please send the log file to me. I wrote RemoteTracker for Android in Java, not PHP!!!
ser-j said:
3) In the log file I see that its trying to send messages to invalid address substituting "@" at "?". Does it mean it sends to correct address but it writes to the logs incorrectly or is it really a bug? Because I don't receive any emails at all.For example, when sending RT#EGI#[email protected]#De41Be02AF in the logs I see that it mentioned it sent the message to "test?test.ru" instead of "[email protected]"
Click to expand...
Click to collapse
Are you sending the command using another phone, the same phone or using some WEB service (like your carrier website)? There is no code to change '@' to '?'.
ser-j said:
This is it for now. I can try to help you out with programming. I have no experience in Android development but have been developing in C# for 7+ years.
Again thanks for you effort.
Click to expand...
Click to collapse
Thank you very much for your tests. I need that! There are lots of Androids around the world and make something secure for everyone will be a journey.
All the best,
Joubert
Notices
I almost finished writing the commands that existed in RemoteTracker for Windows Mobile (at least the ones Android can execute).
But I'm still trying to make the security of RemoteTracker to be more robust. I had Features in Windows I can't write for Android yet:
- Prompt for password when uninstalling;
- Lock / Unlock the unit with the LOCK / UNLOCK commands;
I'm not able to use the camera without the need to provide a preview to the user. According to the source code of Android that is impossible, but I saw some programs doing that, so there is a way to do that and I'm looking for this information.
If anyone knows how please help me
All the best,
Joubert
Answers to the questions
Hi Joubert,
Sorry for being silent for so long.
joubertvasc said:
Are you sending the command using another phone, the same phone or using some WEB service (like your carrier website)? There is no code to change '@' to '?'.
Click to expand...
Click to collapse
I am using Web service of my sim provider to send SMS. Didn't have a chance to try with sending SMS from the phone.
joubertvasc said:
Thank you very much for your tests. I need that! There are lots of Androids around the world and make something secure for everyone will be a journey.
Click to expand...
Click to collapse
Yes, you are right.
As to the log file I will send it to you shortly.
Thank you. I'll wait for your log to see details. You can send it directly to my e-mail.
All the best,
Joubert
Hide Remote Tracker Application
Hi Joubertvasc:
Are you planing to make a feature to hide the Remote Tracker from the drawer and from any place of the phone. Like with the Theft Aware; you can access the application by dialing from the Phone Dialer. You enter your four code number then hit call. This will open the apllication without calling the number.
Regards;
Willie
Sounds good. I will take a look about how to do that.
Thank you.
Hi!
After a long time I'm back with a new version. This one has lots of bug fixes:
http://remotetracker.sourceforge.net/RemoteTracker.apk
My problem now is Android 3.1 and later, because they don't intercept messages all the time. They need human access the configuration module once to work. Security issue Google said... I'm trying to find an exit.
Best regards,
Joubert
G'day mate.
Long time no see. Great work on this app so far.
I've finally gotten around to installing it and play around with it a little.
I'm testing this on HTC One X with Revolution HD ROM
Here are a few ideas and tips for you to incorporate into your next version.
1. Include an option that allows users to set how many replies to get back from your software.
For Example. If I were to use #RT#GPS#1234, it currently only sends 1 reply. The problem with this is that most GPS units are accurate withing 5 - 10 meters. I tested it on myself where I am and it picks me up as being 2 houses down. If there was an option to send me 3 replies, in 60 second intervals, at least I would get the average GPS location of the phone. If your phone is stolen, it would also be a good idea to have unlimited SMS replies with 60 second intervals so I can get real time minute by minute location on where my phone is. Maybe this might be an idea for your Pro version. Have the option for how many replies to get and also an option for interval time between each reply.
2. Another idea for Pro version. Hide the RemoteTracker Icon from the Apps menu, or disguise it as a useless setting so if a thief were to look in the Apps menu, they wouldn't see it straight away, so wouldn't be forced to reset the ROM. Most thieves aren't smart enough to reset the phone as soon as they steal it, They normally wait till they get home..... but if he saw a tracking program, it would make them either turn the phone off right away, or reset the ROM right away.
3. I dont know much about Android programming, but an idea for capturing the Camera is to embed the photo into an MMS, or as an attachment in an email. Trying to muck around with FTP would be a waste of time because the average user wont have an FTP server, and you dont want to set up a central one because it would give every noob hacker a target to try and get into.
I will keep playing around and get back to you with any other problems or ideas for you.
Keep up the great work.
Loved the software on WinMo and looks like the Android version will be just as great.
Plz see the Attached GPS Architecture diagram 1st before reading below Article:
Location Services using GPS in Android consist of following Architectural Components
1) GPS Chip
2) GPS Driver
3) GL Engine
4) Android Framework
5) User Applications
Now Lets Understand each
GPS Chip: Radio Frequency Receiver that directly communicates with GPS Satellites
GPS Driver: GPS Driver System Software that uses Low level API’s to Communicate with the GPS chip, at the system level it may consist of a single or multiple files located at /System/Lib/hw/ Or /Vendor/Lib/hw/ files names usually starts with Prefix GPS and Postfix So (i.e gps.default.so or gps.aries.so e.t.c) depending upon the Android version and Smartphone Platform.
GL Engine: Actually the heart of this overall system.
At System level it consist of files at Path /system/bin with names like glgps or gpsd (Platform Specific)
It works using the Configuration Parameters which consist of .xml and .conf files (i.e glconfig.xml, gps.xml, Jupiter.xml, gpsconfig.xml and gps.conf, secgps.conf e.t.c). The Physical Location and names of files again depends upon Android version and Platform, but they are mostly at (/system/etc , /system/etc/gps , /vendor/etc/, /data/gps e.t.c), depending upon the Configuration and Platform, it takes initial Location Information from Cell Towers, then it take it read NVRAM , it is most important as here it store assistance data from GPS Lock, and it may also use xtra data.
NVRAM information is mostly location at /data/gps in a file with .sto ext (i.e gldata.sto) and xtra data files (lto.dat, xtra.bin, epo.dat e.t.c Platform dependent),
Using all this information Gl Engine instruct / Assist the GPS Driver, mostly Gl Engine is able to Detect multiple GPS satellites for which it is GPS driver is Programmed, but to Lock it need some extra information (Timing, Alm. / Emp.e.t.c) which it could either download from GPS satellites (Standalone Mode: very slow speed bits/sec.) or it could use internet to access SUPL/NTP servers (MS Based/MS Assisted Fast speed MB/sec.)
After all this activity, it saves all the data in NVRAM for future use.
Android Location Services : It consist of Android Framework Classes like Location Manager that Provide services to the use applications using the GL Engine.
User Applications: Location services Applications like Google Maps, Sygic, Navigon , TomTom e.t.c.
Keeping all this information in mind now lets see how the GPS Faster Fix Solutions in Market do.
Faster Fix Solutions like GPS Status & Tool Box, GPS Test, GPS Doctor e.t.c mostly handle two things.
1) Download XTRA Data (lto.dat , xtra.bin , epo.dat, gldata.sto e.t.c)
2) Modify GPS.conf (Root Required)
But this not always works.
Devices uses Google as Supl Server but most devices are unable to use it due to invalid/expired certificates and Google servers rejects the Assistance requests in such scenario Users should use SUPL.NOKIA.COM:7275 , which although slow (but something is better then nothing)
If something is wrong with GL Engine or GPS Driver, it may need Re flashing but a little could be done if GPS Chip Reception is Low or Problem is at Hardware Level, some time need soldering skills for hardware alteration (Risky)
http://forum.xda-developers.com/showthread.php?t=1318892
The Other Configuration Parameter which users could modify is xml Configuration file( Take Backup 1st) at Least a Programmer could get Debug Log to understand where things are going wrong, using below parameters.
cLogEnabled="true" acLogDirectory="/sdcard/gps" and LogPriMask, LogFacMask and also DEBUG_LEVEL (gps.conf)
Hope everyone could easily improves their GPS Performance using this guide for any platform.
Wow, thank you, this is very useful!
Neat! Thanks!
hi
can you please explain the extensive location settings from google maps ... i searched google's help and i'm still confused.
for eg, what is the difference between "report from this device" and "enable location history"?
i guess they generate the trafic info using the data from our phones ... how?
thanx!
Happy Holidays! and Happy New Year!
jean2323 said:
hi
can you please explain the extensive location settings from google maps ... i searched google's help and i'm still confused.
for eg, what is the difference between "report from this device" and "enable location history"?
i guess they generate the trafic info using the data from our phones ... how?
thanx!
Happy Holidays! and Happy New Year!
Click to expand...
Click to collapse
'report from this device' is used in latitude. latitude allows you to share your location with your 'friends'. 'enable location history' is for you only and keeps a record of everywhere you go. or at least thats my understanding of it. hope this helps
Thanks for this "sort of" schematic! Keep on making some new schematics! :cyclops:
Dude i dint think ill tamper with gps in my life but the info you provided is just to simple and cool. thanks
mbbauk said:
Dude i dint think ill tamper with gps in my life but the info you provided is just to simple and cool. thanks
Click to expand...
Click to collapse
I agree. I've always enjoyed learning about gps starting from my Garmin iQue days. After suffering with the Captivate and that horrible gps it's nice to have a phone with fantastic gps and the ability to truly use it. Good stuff here!
Sent from my SG Note i317 via XDA Premium...I eat apples, not use them.
Hi
Speaking about GPS, is there any onchip limitation regarding the speed or location that it should grab GPS signal ?
Someone told me that it may not be possible to make it work in a plane because of US rules and security.. or around some sensitive FBI or Governments buildings (that may have signal killers) ?
Thanks
ak074 said:
'report from this device' is used in latitude. latitude allows you to share your location with your 'friends'. 'enable location history' is for you only and keeps a record of everywhere you go. or at least thats my understanding of it. hope this helps
Click to expand...
Click to collapse
first ... with both disabled ... maps and search still search your location .. which is strange ...
second ... if i enable location history, but not report from the device ... there is no history ! or i don't know where to find it ... cause, indeed it's not in latitute ... you can select "report from the device" without selecting history ... not sure if anything happens ...
Happy New Year!
wow mind blowing and extensive work to understand all this about global positioning system ...
Simple question to OP
Can the Broadcom chipset XTRA file- lto2.dat be used for Qualcomm chipset XTRA file - xtra.bin ? and vice versa?
Thank you.
popcorn1122 said:
Simple question to OP
Can the Broadcom chipset XTRA file- lto2.dat be used for Qualcomm chipset XTRA file - xtra.bin ? and vice versa?
Click to expand...
Click to collapse
To My Understanding and Experience "NO",
putting lto2.dat file in a Qualcomm Android Phone do not improve Time To First Fix (TTFF), did'nt experimented BroadCom.
also contents of both files seems different, MediaTek processors uses EPO files instead, but it is astonishing that lto2.dat do improve their TTFF.
But no technical document to prove these experimentation .
US past policy do restrict the use of GPS above certain altitude (to deny military use of GPS), but cell phones still acquire navigation using GlONASS in Planes.
Can anyone tell me which files are responsible for GPS? I used TitaniumBackup and I suspect that I deleted these files by mistake because now I do not receive a signal outside the building
Lollipop 5.0.1 GT-I9505
Hello,
I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.
Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on
Code:
packed struct Frame {
uint16_be length_of_data;
char data[length_of_data];
}
packed struct FrameWithCRC {
uint16_be length_of_data;
uint16_be crc_of_length;
char data[length_of_data];
uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.
I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.
Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.
Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.
However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
javispedro said:
Hello,
I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.
Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on
Code:
packed struct Frame {
uint16_be length_of_data;
char data[length_of_data];
}
packed struct FrameWithCRC {
uint16_be length_of_data;
uint16_be crc_of_length;
char data[length_of_data];
uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.
I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.
Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.
Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.
However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
Click to expand...
Click to collapse
I think your thread should probably go in the Dev section for Tizen. Have you made any development? If your want it moved, report your own post with the button in top right labeled report. You can then suggest your thread be moved to the new Tizen Development section. Ok, I wish you all the luck, you seem to be very talented programmer/dev. Thanks for your contributions.
Chris
noellenchris said:
I think your thread should probably go in the Dev section for Tizen.
Click to expand...
Click to collapse
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).
noellenchris said:
Have you made any development?
Click to expand...
Click to collapse
Yes, lots of progress. I have been able to write a program that connects to the Gear2 from my PC, succesfully "completes" the setup program and synchronizes the date&time. Things like changing the background color etc. are now trivial. I will soon port it to my Jolla.
I am now looking into how to send notifications to the watch. I've not been able to get Gear Manager to actually send any notifications (to use as "reference"), because goproviders crashes when I try to simulate notifications on my android_x86 VM
If anyone can send me an HCI / Bluetooth packet capture of their Android device while it is sending notifications to the Gear2 I would really appreciate it.
Unfortunately, the main problem here is that Samsung uses some cryptographic authentication as a form of "DRM". I am not exactly sure why.
There was no way for me to discover how the crypto worked so I took the unclean approach and dissasembled their crypto code (libwms.so). That means there's no way I would be able to distribute the code now without risking a lawsuit from Samsung.
Sadly this means that while I can distribute the protocol specifications I obtained, legally distributing "Gear Manager replacements" is probably impossible.
javispedro said:
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).
Click to expand...
Click to collapse
Ya, I was kinda in a Gear 1 mind set, and they have separate threads for Android and Tizen....
Chris
javispedro said:
Unfortunately, the main problem here is that Samsung uses some cryptographic authentication as a form of "DRM". I am not exactly sure why.
There was no way for me to discover how the crypto worked so I took the unclean approach and dissasembled their crypto code (libwms.so). That means there's no way I would be able to distribute the code now without risking a lawsuit from Samsung.
Sadly this means that while I can distribute the protocol specifications I obtained, legally distributing "Gear Manager replacements" is probably impossible.
Click to expand...
Click to collapse
I would gladly write a MIT-licensed C library implementing your protocol specifications. That would be correctly following the chinese-wall approach to reverse-engineering, right?
Anyway, AFAIK, being in Europe decompiling for interoperability purposes is allowed -- I know that wikipedia is not to be taken at face value, but: en.wikipedia.org/wiki/Reverse_engineering#European_Union
Antartica said:
I would gladly write a MIT-licensed C library implementing your protocol specifications. That would be correctly following the chinese-wall approach to reverse-engineering, right?
Anyway, AFAIK, being in Europe decompiling for interoperability purposes is allowed -- I know that wikipedia is not to be taken at face value, but: en.wikipedia.org/wiki/Reverse_engineering#European_Union
Click to expand...
Click to collapse
Well, the problem is not the protocol specifications per se, which I'm actually quite confident I'd be able to redistribute (I'm in EU). The problem is the cryptography part, which is basically ripped off from the Samsung lib "libwsm.so" . Unless we can find out what cryptographic method that lib uses, distributing alternate implementations Is a no-go.
javispedro said:
Well, the problem is not the protocol specifications per se, which I'm actually quite confident I'd be able to redistribute (I'm in EU). The problem is the cryptography part, which is basically ripped off from the Samsung lib "libwsm.so" . Unless we can find out what cryptographic method that lib uses, distributing alternate implementations Is a no-go.
Click to expand...
Click to collapse
If you have the time, I don't mind researching the possible crypto used (although I've only studied DES/3DES, AES and Serpent, hope that whatever scheme used is not very different from them).
Some ideas to start from somewhere:
1. As you have used its functions, it is a block cipher? I will assume that it is.
2. What is the key size and the block size?
3. Are there signs that it is using a stack of ciphers? (that is, applying one cipher, then another to the first result and so on)
Antartica said:
If you have the time, I don't mind researching the possible crypto used (although I've only studied DES/3DES, AES and Serpent, hope that whatever scheme used is not very different from them).
Some ideas to start from somewhere:
1. As you have used its functions, it is a block cipher? I will assume that it is.
2. What is the key size and the block size?
3. Are there signs that it is using a stack of ciphers? (that is, applying one cipher, then another to the first result and so on)
Click to expand...
Click to collapse
Hello, I've not forgotten about this, just somewhat busy and been using the MetaWatch lately
1. Yes it is clearly a block cipher, and the block size Is 16bytes.
2. I don't know about the key size, it is obfuscated.
3. Doesn't seem like a stack of ciphers. It looks like some overcomplicated AES. But to be honest AES is the only encryption I know of
By the way I think I will upload my current test "manager" source code to somewhere after removing the crypto specific files . Since the protocol itself has been obtained cleanly. Note I've used Qt (not the GUI parts) so it's useless for creating a library; the code will probably need to be rewritten to do so, but it may be useful as "protocol specs".
javispedro said:
Hello, I've not forgotten about this, just somewhat busy and been using the MetaWatch lately
Click to expand...
Click to collapse
No problem. Curiously, I've transitioned from the metawatch to the Gear1 fully (null rom, not pairing with bluetooth to the phone but gear used as a standalone device).
[off-topic]I'm not using my metawatch anymore. I was modifying Nils' oswald firmware to make it prettier and to have some features I wanted (calendar, stopwatch), but it was very inaccurate, supposedly because of missing timer interrupts (the existing LCD drawing routines were too slow). I rewrote the graphics subsystem just to stumble into a known mspgcc bug, and trying to use the new redhat's mspgcc resulted in more problems (memory model, interrupt conventions). In the end I couldn't commit enough time to fix that and my metawatch is now in a drawer[/off-topic]
Returning to the topic:
javispedro said:
1. Yes it is clearly a block cipher, and the block size Is 16bytes.
Click to expand...
Click to collapse
Good. We can at least say it isn't DES/3DES nor blowfish (64 bits block size). Regrettably there are a lot of ciphers using 128-bits block size; that I know: AES, Twofish and serpent.
Perusing the wikipedia there are some more of that size in use: Camellia, sometimes RC5 and SEED.
javispedro said:
2. I don't know about the key size, it is obfuscated.
3. Doesn't seem like a stack of ciphers. It looks like some overcomplicated AES. But to be honest AES is the only encryption I know of
Click to expand...
Click to collapse
I understand that to mean that you cannot use that library passing your own key, right?
What a pity! One way to test for these ciphers would have been to just cipher a known string (i.e. all zeroes) with a known key (i.e. also all zeroes) and compare the result with each of the normal ciphers :-/.
javispedro said:
By the way I think I will upload my current test "manager" source code to somewhere after removing the crypto specific files . Since the protocol itself has been obtained cleanly. Note I've used Qt (not the GUI parts) so it's useless for creating a library; the code will probably need to be rewritten to do so, but it may be useful as "protocol specs".
Click to expand...
Click to collapse
Perfect. I don't need anything more .
Ok, so I've uploaded my SAP protocol implementation: https://git.javispedro.com/cgit/sapd.git/ . It's "phone" side only, ie it can be used to initiate a connection to the watch but not to simulate one. In addition, it's missing two important files: wmscrypt.cc and wmspeer.cc which implement the closed crypto required to "pair" the watch. The most important file is sapprotocol.cc which implements the packing/unpacking of the most important packet types. The license of those files is GPLv3 albeit I'm very happy if you use the information contained on them to build your "Gear Manager" program under whichever license you'd prefer.
For anyone who hasn't been following the above discussion: I've figured out a large part (useful for at least establish contact with the watch and syncing time/date) of the SAP protocol used between the Gear watch and the Gear manager program on the phone. This has been done mostly by studying traces and afterwards talking to the watch using my test implementation above to figure out the remaining and some error codes. The debug messages left by the watch's SAP daemon were also immensely helpful. As long as I understand this is perfectly safe to do, publish and use as I'm in the EU and is basically the same method Samba uses.
Unfortunately, the protocol contains some crypto parts required for the initial sync (subsequent connections require authentication). However, the communication itself is not encrypted in any way, which helped a lot with the process. Because it's impossible for me to figure out whatever authentication method is used, I had to disassemble the library implementing this stuff (libwms.so). This is still OK according to EU law, but I'm no longer to release that information to the public. I'm looking for alternatives or ideas on how to handle this fact.
In the meanwhile, let's talk about the protocol. It's basically a reimplementation of the TCP(/IP) ideas on top of a Bluetooth RFCOMM socket. This means that it's connection oriented and that it can multiplex several active connections (called "sessions") over a single RFCOMM link. Either side of the connection can request opening a connection based on the identifier of the listening endpoint (called a "service"). Strings are used to identify services instead of numeric ports as in TCP. For example, "/system/hostmanager" is a service that listens on the watch side. Once you open a session towards this service (i.e. once you connect to it) you can send the time/date sync commands. In addition to be the above the protocol also seems to implement QoS and reliability (automatic retransmission, ordering, etc.). It's not clear to me why they reimplemented all of this since RFCOMM is a STREAM protocol, and thus reliability is already guaranteed!! So I've not focused much on these (seemingly useless) QoS+reliability parts of the protocol.
Let's start with the link level. There are two important RFCOMM services exposed by the watch: {a49eb41e-cb06-495c-9f4f-aa80a90cdf4a} and {a49eb41e-cb06-495c-9f4f-bb80a90cdf00}. I am going to respectively call those two services "data" and "nudge" from now on. These names, as many of the following ones, are mostly made up by me .
The communication starts with Gear manager trying to open a RFCOMM socket towards the "nudge" service in the watch. This causes the watch to immediately reply back by trying to open a connection to the "data" service _on the phone_ side. So obviously this means that your phone needs to expose the "data" RFCOMM service at least. In addition, the watch will try to open a HFP-AG connection (aka it will try to simulate being a headset) to your phone. Most phones have no problem doing this so no work is required. Of course, if your phone is a PC (as in my case ) then you'll need to fake the HFP profile. I give some examples in my code above (see scripts/test-hfp-ag and hfpag.cc).
Once the RFCOMM socket from the watch to the phone "data" service is opened, the watch will immediately send what I call a "peer description" frame. This includes stuff such as the model of the watch as well as some QoS parameters which I still don't understand. The phone is supposed to reply back to this message with a peer description of its own. See sapprotocol.cc for the packet format.
After the description exchange is done, the watch will send a "authentication request" packet. This is a 65 byte bigint plus a 2 byte "challenge". The response from the phone should contain a similar 65 byte bigint, the 2 byte response, and an additional 32 byte bigint. If correct, the watch will reply with some packet I don't care about. Otherwise the connection will be dropped. It obviously looks like some key exchange. But this is the crypto part that's implemented in libwms.so....
After these two exchanges link is now set up. The first connection that needs to be opened is towards a service that is always guaranteed to be present, called "/System/Reserved/ServiceCapabilityDiscovery". It is used by both sides of the connection to know the list of available services present on the other side. Despite this, you cannot query for all services; instead, you must always know the name of the remote service you're looking for. There's some 16-byte checksum there which I don't know how to calculate, but fortunately the watch seems to ignore it!! I suspect that you're expected to actually persist the database of available services in order to shave a roundtrip when connection is being established. But this is not necessary for normal function. This service is implemented in capabilityagent.cc, capabilitypeer.cc . This part was actually one of the most complex ones because of the many concepts. I suggest reading the SDK documentation to understand all the terms ("service", "profile", "role", etc.).
If everything's gone well, now the watch will try to open a connection to a service in your phone called "/system/hostmanager". Once you get to this message things start to get fun, because the protocol used for this service is JSON! It's implementation resides in hostmanageragent.cc, hostmanagerconn.cc . For example, Gear Manager sends the following JSON message once you accept the EULA: {"btMac":"XX:XX:XX:XX:XX:XX", "msgId":"mgr_setupwizard_eula_finished_req", "isOld":1}. At this point, the watch hides the setup screen and goes straight to the menu.
Well, this concludes my high-level overview of the SAP protocol. Hope it is useful for at least someone!
Things to do:
Personally I'm looking for some traces of the notification service. Ie the one that forwards Android notifications towards the watch. For some reason it doesn't work on my phone, so I can't get traces. I suspect it's going to be a simple protocol so a few traces will be OK. It's the only stuff I'm missing in order to be able to actually use the Gear as a proper smartwatch with my Jolla.
We still need to tackle the problem of the cryptographic parts. Several options: either "wrap" the stock libwms.so file, try to RE it the "proper way", .... I'm not sure of the feasibility of any of these.
Many other services.
javispedro said:
After the description exchange is done, the watch will send a "authentication request" packet. This is a 65 byte bigint plus a 2 byte "challenge". The response from the phone should contain a similar 65 byte bigint, the 2 byte response, and an additional 32 byte bigint. If correct, the watch will reply with some packet I don't care about. Otherwise the connection will be dropped. It obviously looks like some key exchange. But this is the crypto part that's implemented in libwms.so....
Click to expand...
Click to collapse
About that 65-byte bigint... that is a 520-bit key. The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing (just like in bitcoin, so there are a lot of implementations of that code).
Not forgotten about this!
Just an status update:
I'm still in the process of defining the API of the C library using javispedro's sources as template.
It's tougher than I originally supposed because the C++ code has a lot of forward-declarations of classes, which is very difficult to map into C. To counter that I have to move elements between structures and I'm not so comfortable with the codebase yet.
And then there is still the hard work of translating the Qt signals/slots to plain' old callbacks... and implementing the bluetooth part using bluez API... and... well, I hope that is all.
Anyway, patience .
I've now had access to a Samsung S2 and thus I have been able to obtain more traces. The latest Git now contains code to connect to the notification manager service, thus allowing to send notifications from the phone to the watch.
That was the last missing part to be able to use the Gear 2 as a 'daily' smartwatch with my Jolla, so I've now also ported the code to run under Sailfish. In fact I'm using this setup at the moment. My first comment is "wow the vibrator IS weak".
You can find a log of sapd's (ie my code) startup qDebug() messages; they may be useful (if you can't yet get your code to run)
I suspect that there may still be some important battery issues because the watch keeps printing error messages about SAP services it can't find on the phone (and instead of sleeping, it starts busy polling for them.... :/ ). It does not seem to happen while the watch is out of the charging cradle, so it may not be important, but not sure yet.
As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...
Antartica said:
The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing
Click to expand...
Click to collapse
They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.
Congratulations for managing to make it work with the Jolla .
I have finally found a suitable "flattened" class hierarchy as to be able to map your code into C; see the attachs. Basically, I have to move the functionality of SAPConnectionRequest, SAPSocket, CapabilityPeer and SAPConnection into SAPPeer, and then it is suitable for my needs.
javispedro said:
As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...
They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.
Click to expand...
Click to collapse
If you manage to describe it using mathematical formulas as in
http://en.wikipedia.org/wiki/Ellipt...ture_Algorithm#Signature_generation_algorithm
it would be perfect, but I reckon that to be able write that you need intimate knowledge of the code and don't know if you have time for that :angel:
And identifying the hash function used would be a problem in itself...
One idea: how about a ltrace so we have the calls to the openssl library? That may uncover new hints.
Anyway, I have a lot of work before me until I need that, so don't fret over it.
Hi there! Any chance that the Gear can (really) work with an iPhone?
gidi said:
Hi there! Any chance that the Gear can (really) work with an iPhone?
Click to expand...
Click to collapse
agreed. Needs iPhone support please.
Antartica said:
Congratulations for managing to make it work with the Jolla .
I have finally found a suitable "flattened" class hierarchy as to be able to map your code into C; see the attachs. Basically, I have to move the functionality of SAPConnectionRequest, SAPSocket, CapabilityPeer and SAPConnection into SAPPeer, and then it is suitable for my needs.
Click to expand...
Click to collapse
You may want to look at the official Samsung SDK docs to match their class hierarchy. I tried to match my hierarchy to theirs, but this happened very late in the development process, so there is some weirdness.
Antartica said:
One idea: how about a ltrace so we have the calls to the openssl library? That may uncover new hints.
Click to expand...
Click to collapse
I more or less know what it is doing with OpenSSL, but that's because I looked at the dissassembly. They use OpenSSL for key derivation (ECDH), but the actual cryptographic algorithm is their own. This 'block cipher' is the part they have tried to obfuscate. Not much, but still enough to require more time than what I have available It is basically a set of arithmetical operations with some tables hardcoded in the libwsm.so binary, so no external calls to any library. The hardcoded tables are probably derivated from their private key, which is most definitely not on the binary. In fact I suspect this is basically AES with some changes to make it hard to extract the actual key used, so that's where I've centered my efforts.
Technically it should not even be copyrightable, so maybe I could just redistribute my C reimplementation of the algorithm, but as with any other DRM who knows these days... and that still leaves the problem of the tables/"private key".
Digiguest said:
agreed. Needs iPhone support please.
Click to expand...
Click to collapse
Well you are welcome to implement one such iPhone program yourself. Will be happy to resolve all the protocol questions you have.
(But please stop with the nagging).
Wasn't nagging at all. Just agreeing with him. I am no programmer so I have to rely on others for answers. Sorry if you thought otherwise.
Looking for to see more work on it though. Keep it up.
Hi there! Nice work on getting Gear2 to work with Jolla.
I'd love to get Gear1 to work with WP8.1. Do you have the code for Jolla
on github/bitbucket so I could give it a peek? Thanks in advance.
Duobix said:
Hi there! Nice work on getting Gear2 to work with Jolla.
I'd love to get Gear1 to work with WP8.1. Do you have the code for Jolla
on github/bitbucket so I could give it a peek? Thanks in advance.
Click to expand...
Click to collapse
javispedro had the sources in gitorius, but they are not there anymore (surely related to gitlab buying gitorius).
I attach a tarball with javispedro sources as of 19 October 2014.
Note that it lacks the files implementing the crypto, so just porting it is not enough to be able to communicate to the gear. OTOH, I know that there are some differences in the protocol between the Android Gear1 and the Tizen Gear2 (if the gear1 has been updated to Tizen, it uses the same protocol as gear2). Specifically, to be able to communicate with both watches, the gear manager package has both gear manager 1.7.x and gear manager 2.x. javispedro's code implements the gear 2 protocol.
Personally, I have my port on hold (I have problems with bluetooth in my phone, so there is no point in porting sapd right now as I would not be able to use it).
Found this thread created recently on another website. I thought you guys might be interested in reading the content.
Github page: https://github.com/julKali/nokia8-evenwell
Here are some of the most interesting comments:
mattlondon 2 days ago [-]
So I have spent some initial time looking at this.
com.evenwell.autoregistration.Caivs has some worrying looking stuff.
There is a website here with the username and password in cleartext in the jars: https://www.c2dms.com Nothing visible/doable once logged in from what I could see.
It also appears to be collecting fine-grained location data, e.g. this is the output from logcat (I have obfuscated my own GPS coords here, but they are 6 digits of accuracy)
Code:
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: LocationUpdated: 3.location:Location[gps 51.xxxxxx,-0.xxxxxx hAcc=39 et=+1d19h59m28s923ms alt=102.50201416015625 vel=3.09 bear=14.3 vAcc=24 sAcc=3 bAcc=10 {Bundle[mParcelledData.dataSize=96]}]
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: updateLocation: gps accuracy:38.592003
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: updateLocation: is in accuracy :1000
com.evenwell.autoregistration.Utils.RegisterManager seems to be doing some scheduled checks and doing something with this collected data in the first 24 hours, then phased at 15 and 90 days. It is not clear what is happening having only done an initial scan over this.
It does look like they are doing some checking to see if the device is a Nokia device and selectively doing or not doing location-based stuff based on that, e.g. from com.evenwell.autoregistration.Utils.GetInfo
Code:
2019-03-30 20:09:25.108 16558-16577/? D/[CAIVS] GetInfo: getCellLocation: in black list
Further investigation probably warranted. This looks a bit suspect and might only send data on specific days (and would explain why I did not notice anything outbound over my 4 day period of checking before).
Click to expand...
Click to collapse
I found this in English: https://web.archive.org/web/20081027134825/http://www.cseed....
Quote: "CAIVS notifies our system when the handset is purchased. Data includes the date, time, and location that a SIM card is first inserted into the handset, the inserted SIM card's telecom operator, the handset's operating system, the handset model and phone number, and even the time when it is first turned on. "
WTF.
It is not clear at the moment if there is a blacklist on the MCC code going on in com.evenwell.autoregistration.Util.XMLHelper that reads from /product/etc/AutoRegConfig.xml is this line:
Code:
<NOKIA>
<REJECTMCCLIST>232,206,284,219,280,230,238,248,244,208,262,202,216,274,510,272,222,247,295,228,246,270,278,204,242,260,268,226,231,293,655,214,240,228,234,235,520</REJECTMCCLIST>
</NOKIA>
These are - I think - the Mobile Country Codes (https://en.wikipedia.org/wiki/Mobile_country_code) it gets from the cellsite. This list is basically the EU + South Africa, Thailand and Indonesia. Don't know what things are like in SA, Thailand or Indonesia but in the EU this sort of thing would not be acceptable. Looks also like there is a hard-coded short-circuit in getLocation() in com.evenwell.autoregistration.Util.GetInfo to always return no location lat-longs which appears to trigger another shortcut in RegisterManager that shortcuts out to the "Caivs not in registration phase" log output which returns without triggering the sendToServer() calls on other code paths.
I am not convinced that this will never send location back, but looks like it might have been updated with to prevent phoning home in those countries in the MCC list (and maybe by hard-coded shortcuts the actual code). This would meet with what was said with there recent phoning home response from Nokia - i.e. (https://translate.google.com/translate?u=https://nrkbeta.no/...)
Click to expand...
Click to collapse
As foobarbazetc noted, the listed packages have been specifically developed for Nokia (HMD). And although many only actually send telemetry on Nokia phones that have been sold in China, there is still quite a lot of data at stake that can be used to track the device when combined with data from other sources.
I wanted to share my findings to create the awareness that the mechanisms are there and it only takes a little misconfiguration (see https://arstechnica.com/gadgets/2019/03/hmd-admits-the-nokia...) and all this goes straight to the Chinese authorities.
Click to expand...
Click to collapse
full thread: https://news.ycombinator.com/item?id=19530670
This is why I feel like a custom rom for this phone is long overdue so we can use our phones free of concerning bloatware and privacy issues.