MindWave "cracked" .. or mostly so..

So Ale, this is the contents of the file you sent me... I was looking at the MindWave parsing stuff. They have a "Dummy" data generator for testing - which is very nice. Looking at that I thought I could figure out what to expect from the MindWave device.

In the dummy generator they are creating 2 bytes AA & AA ... THE SAME MAGIC NUMBER MRL & MRLComm.ino USE !! .. what are the odds? ;)

Anyway I don't see the signature in the file.. but I do see the pattern of 3F 3F .. it might be because they changed it .. or it was re-interpreted do to type casting .. I'll look into this later..

In the packet 04 seems correct - dunno what its sending but its 2 bytes short from the dummy one.. looks to have a checksum on the end to (purple square)

The Matrix Revisited

Neo would be proud.

Boy I get dizzy if I look at that too long.

So - what I guessed seems

So - what I guessed seems like its correct .. I found that they occasionally send more data - don't know in what context this occurs.. perhaps "blink" ? But there is a larger message with Magic Number & Size (Green) .. this time they are sending 32 bytes with the Red checksum at the end

RED - Magic & Check Sum
GREEN - Size
ORANGE - Data .. might be a blink in there ;)

@ grog whoo hooo...so the

@ grog whoo hooo...so the blinky is hidden in the long message?

So if data length is > 4 ->

So if data length is > 4 -> blinky detected -> close hand

Tell me what is the next step

Tell me what is the next step grog..

Right now we have seen just

Right now we have seen just data ...

But what we want to see is .... "cause" ----- and ----> "effect"

We want the details of the protocol which I think is this document

http://wearcam.org/ece516/mindset_communications_protocol.pdf

And we'll use some of the Java code they gave us.

The documentation is strange. It's has a lot of "detail" but a diagram would have been much better (and much shorter)

Ehi grog... I downloaded and

Ehi grog... I downloaded and tested this app on my phone and it works great !!!

https://play.google.com/store/apps/details?id=res.juanhg.hellomindwave

Searching on Google I ve found it s open source !!!

Maybe we can see inside this app to learn how him parse the data coming from the Bluetooth

https://github.com/juanhg/MindWaveEye

Ehi maybe I found another

Ehi maybe I found another interesting stuff :

A java socket library

http://crea.tion.to/thinkgear-java-socket/

https://github.com/borg/ThinkGear-Java-socket

The parsing makes sense, but

The parsing makes sense, but the data is still goofy .. it's 3F 3F - try to do a session as before and write the rx.data file with this update ...

https://drive.google.com/file/d/0BwldU9GvnUDWRFhqdW83X3pvbE0/edit?usp=s…

in it I'm saving data with the bits shifted over .. lets see if that makes a difference...

Got it ... That was it ...

THERE IT IS 2 AA AA !

been looking at the Matrix too long... The Blonde looked funny...

Now its time to run it through the parser...

GAAHHHHH !

This thing is crap ! ... The checksum is messed up and the instructions are absolutely inane !

I give you an example :

Step-By-Step Guide to Parsing DataRows in a Packet Payload

Repeat the following steps for parsing a DataRow until all bytes in the payload[] array ([PLENGTH]

bytes) have been considered and parsed:

1. Parse and count the number of [EXCODE] (0x55) bytes that may be at the beginning of the

current DataRow.

2. Parse the [CODE] byte for the current DataRow.

3. If [CODE] >= 0x80, parse the next byte as the [VLENGTH] byte for the current DataRow.

4. Parse and handle the [VALUE…] byte(s) of the current DataRow, based on the DataRow's [EXCODE]

level, [CODE], and [VLENGTH] (refer to the Code De

i compiled mindwavetest by

i compiled mindwavetest by fivedots and then i tried to run it :

This is how the folder looks like after the compiling :

Bitness issue - he has a 32

If if found the dll (first challenge) - and still blew up - then it's probably a

bitness issue - he has a 32 bit dll I think - on a 64 bit jvm - make no worky

JNI is a PITA - that's why I wanted the pure Java parsing to work .. really there is no reason why it should not work in Java.. if the code was correct.. which I do not believe it is...

Tried a different hex editor

Tried a different hex editor - but it still did not get me what I wanted.. I wanted to just copy the hex values out. doesn't seem that much to ask for

Here's a 32 byte "blinky" data packet .. mebbe its a blink

and a 32 byte "no blinky" data packet

Whoosh .. that took some

Whoosh .. that took some work.. but I extracted all the 32 byte packets out of the blinky file - fortunately there was a nice text editor that actually let me copy .. without it would be even more PITA

Here's Blinky

Blinky

AA AA 20 02 19 3F 18 00 00 6E 00 00 25 00 00 1D 00 00 11 00 00 10 00 00 08 00 00 01 00 00 00 04 00 05 00 66

AA AA 20 02 00 3F 18 03 1D 54 06 D9 CD 00 6C 50 00 C2 5B 00 A4 D5 01 42 47 03 B6 BE 00 B3 3F 04 00 05 00 3F

AA AA 20 02 00 3F 18 05 D1 D4 00 3F E8 01 1D 09 00 73 02 00 14 29 00 3C EC 00 20 26 00 07 F9 04 00 05 00 E8

AA AA 20 02 00 3F 18 0E C0 04 02 5F 71 02 41 51 01 3F B6 00 BA 0F 00 AB 7D 00 6C 1C 00 4D 3F 04 1E 05 30 3B

AA AA 20 02 00 3F 18 14 6F 0B 01 53 13 01 04 F0 00 4D 03 00 CA 08 00 1D 1E 00 D8 D2 00 2B 50 04 0D 05 35 AB

AA AA 20 02 00 3F 18 1C 0F 2E 18 3F 3F 05 F0 A3 01 01 65 01 03 F7 01 3F 4F 02 02 E0 01 1D 3F 04 01 05 32 32

AA AA 20 02 00 3F 18 05 77 53 05 D1 DF 00 33 2E 01 0D 3F 00 3F 68 00 5F 38 00 79 08 00 25 3A 04 01 05 2C 34

AA AA 20 02 00 3F 18 0B 29 45 03 3F 3F 00 3A FE 00 5B 3F 00 30 40 00 2C 39 00 40 D3 00 11 6D 04 01 05 1B 00

AA AA 20 02 00 3F 18 22 49 74 07 2E 0F 00 6C 3F 00 FD 20 01 D6 C3 02 AE 3F 01 B2 3F 00 AD 13 04 32 05 17 F5

AA AA 20 02 00 3F 18 03 C5 EA 01 10 5A 00 02 F3 00 45 4B 00 33 41 00 36 60 00 40 3F 00 0A 70 04 4B 05 17 FB

AA AA 20 02 00 3F 18 14 BD 6A 08 C3 1E 02 66 52 01 73 CB 00 3F D7 01 28 A1 01 4E F5 01 4D D4 04 5B 05 1E 27

AA AA 20 02 33 3F 18 0D E4 3C 01 F0 31 00 B2 D0 01 18 26 01 00 CE 00 3F 3F 00 34 30 00 1F C0 04 5A 05 1E 74

AA AA 20 02 33 3F 18 04 2A 3F 00 25 50 00 09 3F 00 0E 3F 00 0A C5 00 17 B7 00 09 41 00 01 FB 04 5A 05 1E 49

AA AA 20 02 33 3F 18 32 3F 72 03 31 A0 08 2C BE 03 E9 56 04 BC C6 03 F0 73 00 C7 3F 00 A5 A6 04 5A 05 1E 01

AA AA 20 02 00 3F 18 15 AB 3F 09 62 B7 0E 4C 13 06 C0 B5 02 3F B1 05 5E 57 01 E4 3E 00 28 17 04 4E 05 32 36

AA AA 20 02 1A 3F 18 06 B8 4C 02 69 BB 00 3F 3F 00 2F 3F 00 3F 51 00 4D 3C 00 53 34 00 0F F3 04 4E 05 32 BD

AA AA 20 02 00 3F 18 1C 69 A8 02 E0 60 01 B2 3F 03 13 6B 02 3F BE 01 D7 20 01 34 76 00 AA 56 04 54 05 3C 3F

AA AA 20 02 00 3F 18 26 61 F1 0F 3F EB 03 3F 22 02 5E 6D 01 A6 09 01 5C 3F 00 3F 2B 00 33 EA 04 4D 05 39 DD

AA AA 20 02 00 3F 18 0C C8 33 05 AB A9 07 3F 39 00 DB AB 01 0B D5 02 00 3F 01 68 5B 01 12 C4 04 3D 05 3F 04

AA AA 20 02 00 3F 18 16 0F FD 00 C4 7A 00 0B AA 00 5E 1E 00 7A D8 01 2F 26 00 3F 43 00 4E A6 04 4D 05 2F D7

AA AA 20 02 00 3F 18 1D 38 21 0B CB 1F 04 C6 75 02 3B 3F 01 EB 3F 00 3F F1 00 E2 40 00 30 3F 04 29 05 2C AD

AA AA 20 02 00 3F 18 09 60 31 02 C7 06 01 DB CF 00 75 FF 00 68 3F 00 3F 54 00 59 07 00 30 21 04 23 05 28 EB

AA AA 20 02 00 3F 18 0F 7D E5 0C 31 D5 02 D5 AB 02 AE B4 00 3F B5 00 61 46 00 A3 3D 00 4C D2 04 01 05 2F CE

AA AA 20 02 00 3F 18 0A 28 BB 01 2B F0 01 14 4C 00 3F 1E 00 71 69 00 77 3F 00 E4 DB 00 21 FD 04 0E 05 33 2E

AA AA 20 02 00 3F 18 06 12 C5 00 78 BB 00 3F 6B 00 45 65 00 14 F6 00 27 08 00 21 B8 00 19 C9 04 15 05 3D 65

No Blinky

AA AA 20 02 19 3F 18 00 00 5B 00 00 15 00 00 17 00 00 1F 00 00 1E 00 00 11 00 00 01 00 00 04 04 00 05 00 66

AA AA 20 02 19 3F 18 02 C6 69 01 56 7E 00 20 AA 00 12 20 00 0D 12 00 14 D7 00 0C 34 00 03 3F 04 00 05 00 6E

AA AA 20 02 00 3F 18 0D 3F 36 03 78 F0 02 43 A1 00 72 C3 00 3F FD 00 DB B7 00 3D E1 00 21 E4 04 00 05 00 CA

AA AA 20 02 00 3F 18 07 AE D9 00 D1 33 00 1B 50 00 2A 69 00 18 06 00 0B 35 00 07 52 00 04 01 04 00 05 00 0D

AA AA 20 02 00 3F 18 0C B3 38 02 F0 E0 02 A6 22 00 3F F9 00 61 1D 00 3F D4 00 37 71 00 17 3F 04 00 05 00 15

AA AA 20 02 00 3F 18 00 4E 22 00 4E 6D 00 43 29 00 33 21 00 42 0C 00 22 FF 00 13 2C 00 09 DB 04 35 05 30 77

AA AA 20 02 00 3F 18 11 3F 48 01 49 3F 00 37 B9 00 29 E0 00 16 3B 00 0F 3F 00 0F 3F 00 09 C6 04 2B 05 28 E8

AA AA 20 02 00 3F 18 00 2C 3F 00 16 B2 00 12 A7 00 03 61 00 0F A1 00 15 13 00 11 5D 00 04 BF 04 4D 05 32 25

AA AA 20 02 00 3F 18 00 2D E6 00 08 C7 00 12 4F 00 1A DA 00 0A E8 00 1F DB 00 11 7D 00 06 B7 04 54 05 38 5F

AA AA 20 02 00 3F 18 00 44 BC 00 11 E9 00 57 C6 00 43 A8 00 19 6F 00 14 50 00 0C 67 00 0F 3F 04 64 05 64 3F

AA AA 20 02 00 3F 18 00 32 EE 00 15 35 00 0F 46 00 08 5F 00 05 BC 00 13 4B 00 17 A9 00 0E 4E 04 61 05 64 33

AA AA 20 02 00 3F 18 00 0F 61 00 0D 3C 00 0D E5 00 08 E6 00 0A 6C 00 16 AB 00 0B EA 00 09 D4 04 61 05 54 02

AA AA 20 02 00 3F 18 00 10 F9 00 1A 72 00 06 A6 00 29 6D 00 1D 47 00 07 B1 00 0C E4 00 04 3F 04 5A 05 43 47

AA AA 20 02 00 3F 18 07 3F 69 00 58 AE 00 18 44 00 11 AD 00 11 C2 00 08 A7 00 07 56 00 01 A6 04 40 05 15 58

AA AA 20 02 00 3F 18 00 28 3F 00 3E C8 00 1A 2D 00 0B A0 00 11 50 00 13 3F 00 18 09 00 0A 0E 04 33 05 10 34

AA AA 20 02 00 3F 18 0C 40 A0 02 52 10 00 21 47 00 B1 3F 00 BA 3F 00 53 3D 00 13 3F 00 0F D3 04 3D 05 1A AA

AA AA 20 02 00 3F 18 01 CE F0 02 15 1A 00 22 A5 00 68 A2 00 10 14 00 13 F8 00 10 3B 00 08 23 04 33 05 14 AC

AA AA 20 02 00 3F 18 01 B8 A8 00 67 15 00 14 53 00 30 25 00 0E 14 00 1B B9 00 24 39 00 10 2F 04 32 05 17 E5

AA AA 20 02 00 3F 18 00 17 50 00 09 C7 00 09 3F 00 06 5C 00 0C 47 00 18 40 00 1B 51 00 0F A5 04 39 05 08 16