Friday, July 10, 2009

HTTP Sniffing

I've tried USB sniffing, serial snooping, but some how neglected network sniffing of the HTTP traffic. Back to my old friend Wireshark nee Ethereal.

VERY promising results which hopefully will help solve the record field alignment puzzle.

This is obviously the technique that Henry at BodyBuggHacks used, at least for his initial postings (his later partial Java code posting indicated direct use of the serial port or a BodyMedia Java API). The protocol has changed a bit - field names are different etc, but the structure is the same.

Here is an edited sampling of the response to an HTTP POST during a sync:
....sr.6com.bodymedia.common.shared.armband.comm.UploadRequestO...r.0....L..seri
alPortBeant.,Lcom/bodymedia/device/serial/SerialPortBean;xr.,com.bodymedia.commo
n.shared.comm.DataRequest...).z.n...L..handlert..Ljava/lang/String;L..mySessionI
Dq.~..xpppsr.*com.bodymedia.device.serial.SerialPortBean.\.qBI.K...Z..cradle_mod
eL..ageq.~..L..batteryq.~..L..birthdateq.~..L..boardq.~..L..boardSeriesq.~..L..c
alibrationq.~..L..channelListq.~..[..channelst..[BL..epochq.~..L..gsrThresholdq.
~..L..handq.~..L..heartTargetq.~..L..heightq.~..L..memoryq.~..L..productCodeq.~.
.L..recordsq.~..L..serialq.~..L..sexq.~..L..smokerq.~..L..subjectq.~..L.
systemTimeq.~..L..uptimeq.~..L..versionq.~..L..volumeq.~..L..weightq.~..xp.t..Ag
e: 99 years ^M
t.;Battery voltage: 4.160 Max voltage: 4.200 Charged to 94%^M
t..Series: 16^M
t./ 0: RAWACCTR INUSE input: 698 output: 1763^M
1: RAWACCLO INUSE input: 707 output: 2343^M
2: RAWACCTR INUSE input: 2094 output: 1212^M
3: RAWACCLO INUSE input:
2095 output: 2930^M
4: RAWACCFW INUSE input: 988 output: 2410^M
5: RAWACCFW INUSE input: 1964 output: 2818^M
6: RAWGSR INUSE input: 0 output: 1366^M
7: RAWON INUSE input: 0 output: 1367^M
8: RAWTSKIN INUSE input: 40000 output: 1416^M
9: RAWTCOV INUSE input: 40000 output: 1416^M
10: RAWTSKIN INUSE input: 25002 output: 2048^M
11: RAWTCOV
INUSE input: 25002 output: 2048^M
t..Chan# Name ^M
----- ---- ^M
0 RAWACCFW^M
1 RAWTSKIN^M
2 RAWGSR^M
3 RAWACCTR^M
4 RAWACCLO^M
5 RAWVBAT^M
6 RAWTCOV^M
7 RAWON^M
8 EE^M
9 MOVTSKIN^M
10 MOVGSR^M
11 MOVACCTR^M
12 MOVACCLO^M
13 MOVVBAT^M
14 MOVTCOV^M
15 MOVON^M
16 MADACCTR^M
17 MADACCLO^M
18 F0CROSS^M
19 HRATE^M
20 PEDO3^M
21 PLATEAU^M
22 MADECG^M
23 TRPEAKS^M
24 MOVTHETA^M
25 FWPEAKS^M
26 FCOUNT^M
27 MOVACCFW^M
28 MADACCFW^M
29 TCOUNT^M
30 LCOUNT^M
31 PEDO3TOE^M
32 TIMESTMP^M
33 HEARTBT^M
34 T0CROSS^M
35 L0CROSS^M
36 RAWECG^M
37 LOGSWEEP^M
38 MADTHETA^M
39 LOPEAKS^M
40 COMPGSR^M
41 RAWCGSR^M

[...SNIP...]

SESSION-BEGIN0502Firefly2_00000000af1bc00e04a54d7ca00000000090c0000046500200780MOV
TSKIN^M
93494295095895d96396696996c96f97898098498598798998798598899199d9a29a099f9a29a29a
19a39a29a39a39a099d99b99c99f9a19a49a69a59a59a79a99ab9ad9b09b09b19b39b69b89b99b89
b99bb9bd9bf9c09bd9bd9c09bf9be9be9be9be9bf9c19c39c59c79c89ca9ca9ca9ca9ca9c89c69c5
9c59c69c79c99c99c99c99c99c69c39c09c19c59c89cc9ce9d09d29d39d29d29d39d49d79db9dd9d
d9df9de9dd9de9dc9d99d89d99da9de9e09db9d29ca9c59be9b99b59b19ae9ab9aa9aa9aa9ae9b29
b39b49b49b39b39b29b29b29b39b39b39b49b49b49b49b59b59b69b69b79b89b99ba9bb9bb9bb9bb
9bc9bc9bd9bd9bd9bf9bf9c09c09c19c29c19c19c29c29c39c39c49c59c59c29be9bc9bb9ba9bb9b
b9bb9ba9ba9ba9ba9bb9bb9bc9bd9bd9be9be9be9c09c29c49c59c69c59c49c59c69c69c69c79c79
c69c69c69c69c69c59c59c59c59c49c49c39c39c39c29c29c29c39c49c59c69c79c89c99ca9ca9ca
9cb9cc9cc9cc9cc9cd9cd9cd9cc9cc9ca9c79c59c49c59c
79c79c89c89c99ca9cb9cb9cb9cb9cb9cb9cb9cb9cb9cb9cb9ca9c99c79c69c59c69c89ca9cc9cd9
cd9cd9cd9cd9cd9cd9cc9cc9cc9cc9cb9cb9cb9cb9cb9cb9ca9ca9ca9ca9ca9ca9ca9ca9ca9cb9cb
9cc9cc9cd9cd9ce9ce9cf9cf9d19d29d49d59d79d89d89d99da9da9db9dc9dd9de9df9df9df9dd9d
c9dc9dd9dd9de9de9df9df9e09e09e09e19e09dd9dc9dd9de9df9e09e09e19e19e19e09e09e19e29
e39e59e69e69e79e89e99e99ea9e99e99e79

[...SNIP....]

t.DThere have been 1247284976 seconds since the epoch. Time zone -9.^M
t.&gthresh offbody: 1376 onbody: 1371^M
t..Handed: Left ^M
t..heartrat
e targets lo: 0 hi: 0t..Height: 67 inches^M
t..FILE: 78339 bytes of 1048576, 7 percent used^M
t..Product code: 173^M
t..# Type Name Div Channels Bytes^M
- ---- -------- --- ------------------------------- -----^M
0 16 V6RES1 1920 9 11 12 27 14 16 17 40 13^M
1 17 V6RES2 1920 20 21 23
24 38 29 37 254 12^M
2 18 V6RES3 1920 30 34 35 31 39 13 28 254 12^M
3 19 V6RES4 1920 26 18 25 10 8 254 254 254 9^M
4 20 UNUSED 0 254 254 254 254 254 254 254 254 0^M
I am very excited by that table of record types (16-19) to channel numbers. I had been parsing that table, but couldn't interpret the numbers before. I believe this gives me the numbered field name to record mapping I've needed.

I am willing to send you a full sample if you request via e-mail centibenzo at gmail.

EDIT (7/11): BREAKTHROUGH:
1. The device stores data as 12-bit packed fields, not byte-aligned.
2. The "table headers" with apparent column labels do NOT correlate with the columns (baffling).
3. The actual record layout is obtained from the record type table (seen above in HTTP, but also in device mem) indexed into ANOTHER set of field names retrieved by individual request packets. Weird.

I should have full data extracts soon.

1 comment: