about Disney Magicband bluetooth codes #1
Comments
|
Greetings! Glad you found me!
So I can partially help you out here.. I haven't yet gotten around to
man-in-the-middling the BLE for the services, but I hope to get around to
it soon. I was really hoping the Alexa integration would have come out by
now, because the limited stuff the phone does with the bands doesn't have a
lot of information.
That said, the codes you were looking at are *broadcast *codes used by
Disney for the night shows. They behave like a normal bluetooth beacon,
except they are somewhat malformed (longer than they should be by most
bluetooth specs). So the upside is, you can control the bands as a group,
but the downside is, you can't control the bands individually or access any
of the sensors.
An example of a broadcast message using the codes you were looking at would
be as follows (in this case, the command line):
hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff *83 01* e9 0c 00 0f 0f 5d
46 5b f0 05 32 37 48 95 cf 8a ad
8301 is the marker for disney, and needs to be there. Everything after the
8301 is the codes you are seeing on the wiki.
I have most of the codes I've deciphered up there, but not all of them.
I'll see if I can get some time to update them with the rest of the ones I
know from my last round of experiments... My next trip to disney is a few
months away which is typically when i jump back into this, but if i can
deep dive the handshake/services in the band, I"ll let you know what I
find. If you learn anything along the way as well, I'd love to hear it!
Justin Gehring
***@***.***
…On Sat, Jul 27, 2024 at 5:12 PM ilker Aktuna ***@***.***> wrote:
Hi,
I'm sorry; I could not find any other way to contact you. So I'm trying my
chance to reach via this channel.
I read on the page below , about your findings on Mgicband+ ble codes:
https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes#The_cc_Codes
I am trying to make a fun application for my family to make use of the
bands at home.
I will try your codes, but I'm not sure which service and characteristic I
have to send the commands.
I see there are 5 different services and a few characteristic under each
service as below.
Could you tell me which one to use ?
I just want to make the band leds do some effects.
service:00001801-0000-1000-8000-00805f9b34fb
characteristic:00002a05-0000-1000-8000-00805f9b34fb
characteristic:00002b2a-0000-1000-8000-00805f9b34fb
characteristic:00002b29-0000-1000-8000-00805f9b34fb
service:00001800-0000-1000-8000-00805f9b34fb
characteristic:00002a00-0000-1000-8000-00805f9b34fb
characteristic:00002a01-0000-1000-8000-00805f9b34fb
service:1d14d6ee-fd63-4fa1-bfa4-8f47b42119f0
characteristic:f7bf3564-fb6d-4e53-88a4-5e37e0326063
characteristic:984227f3-34fc-4045-a5d0-2c581f81a153
service:0000fe03-0000-1000-8000-00805f9b34fb
characteristic:f04eb177-3005-43a7-ac61-a390ddf83076
characteristic:2beea05b-1879-4bb4-8a2f-72641f82420b
characteristic:74f996c9-7d6c-4d58-9232-0427ab61c53c
characteristic:b32e83c0-fece-47c1-9015-53b7e7f0d2fe
service:0000fd98-0000-1000-8000-00805f9b34fb
characteristic:bd75b722-3dda-bef1-454d-7119c8ff26a2
characteristic:0b4d1c14-b070-8938-9a0b-d5f8188488cd
—
Reply to this email directly, view it on GitHub
<#1>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPBGDYBMLSVX6AGFAVDZOQLMNAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQZTGNRUGE4DANA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Hi, Thanks for your quick response. How can we contact directly ? (Using this issue thread under an unrelated github repository is not the best method I believe) I have a bluetooth sniffer , so I am now trying to sniff between my phone (Disney app) and the magicband. About broadcast messages; I don't have any experience. And I really don't know the usage of hcitool If Arduino is able to do this, at least I can use broadcast until I discover the codes for unicast (direct) commands. And lastly, what do you mean by " I was really hoping the Alexa integration would have come out by |
|
I've found the method for BLE advertising on esp32 But I need a device name. What should it be ? |
|
Better way to communicate would be to directly email ***@***.***
As far as decyrpting/figuring out what is going on - You might want to take
a look at:
https://github.com/DigitalSecurity/btlejuice
As far as Alexa - There was supposed to be a triva game that integrated
with the bands that was going to be integrated with Alexa's "Hey Disney"
feature. They released Hey Disney a little over a year ago now, and it
still has no magicband+ support as far as I'm aware. It's funny, because
the MagicBand+ boxes still contain the Amazon Alexa logo on the side of
them, despite thie feature still not being released. The only thing that I
have at home to Mitm with is my phone, and I'm not 100% certain that's
using the BLE features at this point... I haven't jumped down that road,
but hope to do that soon.
I have code for both a transmitter and a receiver. I just uploaded the
transmitter code to Github:
https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino
The code has a bunch of stuff involving buttons for a wand I built, and was
originally built for a Xiao ESP32c3. I'm not sure how cross compatible it
is, but hopefully it works for you. That said, there is a debug tool I put
into it that allows you to send codes directly over serial... So once, it's
loaded into the chip, open the console and paste one of the codes into the
serial prompt with your magic band on... For example, if you put in:
8301e100e905006f0ef5b0
it should cause all magicband+ in the area to glow red. A breakdown of the
code can be found here:
https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen to
figure out any additional details while your playing around.. For example,
how the timing bits work (I know they exist, I just haven't had time to
iterate though and see how they behave), I'd love to get that added to the
documentation/wiki.
To your last question: I don't believe that there is anyway to use
broadcast messages to hit a single magicband. I have not seen any signs of
this either in implementation in the parks, or in any of the data that I've
sniffed.. with maybe 1 small exception... There is what I believe to be a
tracking ping disney sends out that the magic bands respond to... but this
doesn't contain any light up functionality.
Justin Gehring
***@***.***
…On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna ***@***.***> wrote:
Hi,
Thanks for your quick response. How can we contact directly ? (Using this
issue thread under an unrelated github repository is not the best method I
believe)
I have a bluetooth sniffer , so I am now trying to sniff between my phone
(Disney app) and the magicband.
Unfortunately I could not decrypt the packets. If you have experience on
this, maybe you can help me with that.
Please see here, my question:
https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk
About broadcast messages; I don't have any experience. And I really don't
know the usage of hcitool
So if you can describe me what these parameters are (which one is the
address , service, characteristic etc.) , maybe I can try to replicate them
on Arduino , or Java.
hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff *83 01* e9 0c 00 0f 0f 5d
46 5b f0 05 32 37 48 95 cf 8a ad
If Arduino is able to do this, at least I can use broadcast until I
discover the codes for unicast (direct) commands.
And lastly, what do you mean by " I was really hoping the Alexa
integration would have come out by
now" ?
Is there an expected Alexa integration for Magicband+ ?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Thanks.
I am trying to get parts of your code to use in my sketch. But I am confused.
To call your class, I have to use the following code:
SimpleBLE ble;
std::string advertisingdata;
advertisingdata = "8301e100e905006f0ef5b0";
len = advertisingdata.length();
//Serial.printf("AD Length IS: %i \n", len);
for(char i = 0; i < len; i++){
byte extract;
char a = advertisingdata[2*i];
char b = advertisingdata[2*i + 1];
extract = convertCharToHex(a)<<4 | convertCharToHex(b);
raw[i] = extract;
}
ble.begin("");
ble.advertise(raw,len);
But I have to add the class to my code. So I also have to include:
class SimpleBLE {
public:
SimpleBLE(void);
~SimpleBLE(void);
/**
* Start BLE Advertising
*
* @param[in] localName local name to advertise
*
* @return true on success
*
*/
bool begin(String localName=String());
/**
* Advertises data on Manufacturer Data field
*
* @param[in] data String with the message to be transmitted
*
* @return true on success
*
*/
bool advertise(String data);
/**
* Advertises data on Manufacturer Data field
*
* @param[in] data byte array with the message to be transmitted
*
* @param[in] size size of the byte array
*
* @return true on success
*
*/
bool advertise(byte* data, int size);
/**
* Advertises data on Service Data field
*
* @param[in] data String with the message to be transmitted
*
* @return true on success
*
*/
bool serviceAdvertise(String data);
/**
* Advertises data on Service Data field
*
* @param[in] data byte array with the message to be transmitted
*
* @param[in] size size of the byte array
*
* @return true on success
*
*/
bool serviceAdvertise(byte* data, int size);
//bool advertise(byte* data_man, int size_man, byte* data_ser, int size_ser);
//bool advertise(String data_man, String data_ser);
/**
* Stop BLE Advertising
*
* @return none
*/
void end(void);
private:
void clearAdvertiseData();
void fillManufacturerData(byte* data, int size);
void fillServiceData(byte* data, int size);
private:
String local_name;
private:
};
#include "esp32-hal-log.h"
#include "esp_bt.h"
#include "esp_gap_ble_api.h"
#include "esp_gatts_api.h"
#include "esp_bt_defs.h"
#include "esp_bt_main.h"
#define MAX_MANUFACTURER_DATA_SIZE 20
#define MAX_SERVICE_DATA_SIZE 11
esp_ble_adv_data_t adv_data; // data that will be advertised
byte dataBuffer[50];
byte dataBuffer2[50];
// Standard parameters
static esp_ble_adv_data_t _adv_config = {
.set_scan_rsp = false,
.include_name = false,
.include_txpower = false,
/*.min_interval = 512,
.max_interval = 1024, */
.appearance = 0,
.manufacturer_len = 0,
.p_manufacturer_data = NULL,
.service_data_len = 0,
.p_service_data = NULL,
.service_uuid_len = 0,
.p_service_uuid = NULL,
.flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT)
};
//
static esp_ble_adv_params_t _adv_params = {
.adv_int_min = 100,
.adv_int_max = 100,
.adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this parameter here: https://www.esp32.com/viewtopic.php?t=2267
.own_addr_type = BLE_ADDR_TYPE_PUBLIC,
.peer_addr = {0x00, },
.peer_addr_type = BLE_ADDR_TYPE_PUBLIC,
.channel_map = ADV_CHNL_ALL,
.adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY,
};
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){
if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){
esp_ble_gap_start_advertising(&_adv_params);
}
}
static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
if(!btStarted() && !btStart()){
log_e("btStart failed");
return false;
}
esp_bluedroid_status_t bt_state = esp_bluedroid_get_status();
if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){
if (esp_bluedroid_init()) {
log_e("esp_bluedroid_init failed");
return false;
}
}
if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){
if (esp_bluedroid_enable()) {
log_e("esp_bluedroid_enable failed");
return false;
}
}
if(esp_ble_gap_set_device_name(name)){
log_e("gap_set_device_name failed");
return false;
}
if(esp_ble_gap_config_adv_data(adv_data)){
log_e("gap_config_adv_data failed");
return false;
}
if(esp_ble_gap_register_callback(_on_gap)){
log_e("gap_register_callback failed");
return false;
}
return true;
}
static bool _stop_gap()
{
if(btStarted()){
esp_bluedroid_disable();
esp_bluedroid_deinit();
btStop();
}
return true;
}
/*
* BLE Arduino
*
* */
SimpleBLE::SimpleBLE()
{
local_name = "esp32";
adv_data = {
.set_scan_rsp = false,
.include_name = false,
.include_txpower = false,
.appearance = 0,
.manufacturer_len = 0,
.p_manufacturer_data = NULL, //manufacturer data is what we will use to broadcast our info
.service_data_len = 0,
.p_service_data = NULL,
.service_uuid_len = 0,
.p_service_uuid = NULL,
.flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1))
};
}
SimpleBLE::~SimpleBLE(void)
{
clearAdvertiseData();
_stop_gap();
}
bool SimpleBLE::begin(String localName)
{
if(localName.length()){
local_name = localName;
}
return _init_gap(local_name.c_str(), &_adv_config);
}
void SimpleBLE::end()
{
_stop_gap();
}
bool SimpleBLE::advertise(String data) {
data.getBytes(dataBuffer, data.length()+1);
return advertise(dataBuffer, data.length());
}
bool SimpleBLE::advertise(byte* data, int size) {
clearAdvertiseData();
fillManufacturerData(data, size);
return _init_gap(local_name.c_str(), &adv_data);
}
bool SimpleBLE::serviceAdvertise(String data) {
data.getBytes(dataBuffer, data.length()+1);
return serviceAdvertise(dataBuffer, data.length());
}
bool SimpleBLE::serviceAdvertise(byte* data, int size) {
clearAdvertiseData();
fillServiceData(data, size);
return _init_gap(local_name.c_str(), &adv_data);
}
void SimpleBLE::clearAdvertiseData() {
if(adv_data.p_manufacturer_data != NULL) {
free(adv_data.p_manufacturer_data);
adv_data.p_manufacturer_data = NULL;
adv_data.manufacturer_len = 0;
}
if(adv_data.p_service_data != NULL) {
free(adv_data.p_service_data);
adv_data.p_service_data = NULL;
adv_data.service_data_len = 0;
}
}
void SimpleBLE::fillManufacturerData(byte* data, int size) {
if(size > MAX_MANUFACTURER_DATA_SIZE)
size = MAX_MANUFACTURER_DATA_SIZE;
adv_data.p_manufacturer_data = (uint8_t *) malloc(size*sizeof(uint8_t));
adv_data.manufacturer_len = size;
memcpy(adv_data.p_manufacturer_data, data, size);
}
void SimpleBLE::fillServiceData(byte* data, int size) {
if(size > MAX_SERVICE_DATA_SIZE)
size = MAX_SERVICE_DATA_SIZE;
adv_data.p_service_data = (uint8_t *) malloc(size*sizeof(uint8_t));
adv_data.service_data_len = size;
memcpy(adv_data.p_service_data, data, size);
}
When I add these, I get the following errors during compile:
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: variable or field '_on_gap' declared void
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){
^~~~~~~~~~~~~~~~~~~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: error: 'esp_gap_ble_cb_event_t' was not declared in this scope
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21: note: suggested alternative: 'wifi_prov_cb_event_t'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){
^~~~~~~~~~~~~~~~~~~~~~
wifi_prov_cb_event_t
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: error: 'esp_ble_gap_cb_param_t' was not declared in this scope
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){
^~~~~~~~~~~~~~~~~~~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51: note: suggested alternative: 'esp_sleep_source_t'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){
^~~~~~~~~~~~~~~~~~~~~~
esp_sleep_source_t
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: error: 'param' was not declared in this scope
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){
^~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75: note: suggested alternative: 'Stream'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param){
^~~~~
Stream
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42: error: 'esp_ble_adv_data_t' has not been declared
static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
^~~~~~~~~~~~~~~~~~
Multiple libraries were found for "WiFi.h"
Used: C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi
Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi
exit status 1
Compilation error: variable or field '_on_gap' declared void
|
|
I see github stripped my email out... to communicate via email so we don't
have to deal with that part of the problem, you can email justin at jrcorps
dot com.
That said, 2 questions
1) Did you try running the code i have as-is first? Just to make sure it
works with your transmitter setup? IE: could you send signals from the
console?
2) What version of the IDE are you using? I believe this was originally
written for 2.2.1 which shouldn't matter a ton, but might be part of it. We
might also not be using the same bluetooth libraries.... I believe my
includes might be coming from NimBLE-Arduino by H2zero (avaiable in the
library manager I believe).
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
On Mon, Jul 29, 2024 at 2:47 PM ilker Aktuna ***@***.***>
wrote:
… Thanks.
I am trying to get parts of your code to use in my sketch. But I am
confused.
To call your class, I have to use the following code:
SimpleBLE ble;
std::string advertisingdata;
advertisingdata = "8301e100e905006f0ef5b0";
advertisingdata = message;
len = advertisingdata.length();
//Serial.printf("AD Length IS: %i \n", len);
for(char i = 0; i < len; i++){
byte extract;
char a = advertisingdata[2*i];
char b = advertisingdata[2*i + 1];
extract = convertCharToHex(a)<<4 | convertCharToHex(b);
raw[i] = extract;
}
ble.begin("");
ble.advertise(raw,len);
But I have to add the class to my code. So I also have to include:
class SimpleBLE {
public:
SimpleBLE(void);
~SimpleBLE(void);
/**
* Start BLE Advertising
*
* @param[in] localName local name to advertise
*
* @return true on success
*
*/
bool begin(String localName=String());
/**
* Advertises data on Manufacturer Data field
*
* @param[in] data String with the message to be transmitted
*
* @return true on success
*
*/
bool advertise(String data);
/**
* Advertises data on Manufacturer Data field
*
* @param[in] data byte array with the message to be transmitted
*
* @param[in] size size of the byte array
*
* @return true on success
*
*/
bool advertise(byte* data, int size);
/**
* Advertises data on Service Data field
*
* @param[in] data String with the message to be transmitted
*
* @return true on success
*
*/
bool serviceAdvertise(String data);
/**
* Advertises data on Service Data field
*
* @param[in] data byte array with the message to be transmitted
*
* @param[in] size size of the byte array
*
* @return true on success
*
*/
bool serviceAdvertise(byte* data, int size);
//bool advertise(byte* data_man, int size_man, byte* data_ser, int
size_ser);
//bool advertise(String data_man, String data_ser);
/**
* Stop BLE Advertising
*
* @return none
*/
void end(void);
private:
void clearAdvertiseData();
void fillManufacturerData(byte* data, int size);
void fillServiceData(byte* data, int size);
private:
String local_name;
private:
};
#include "esp32-hal-log.h"
#include "esp_bt.h"
#include "esp_gap_ble_api.h"
#include "esp_gatts_api.h"
#include "esp_bt_defs.h"
#include "esp_bt_main.h"
#define MAX_MANUFACTURER_DATA_SIZE 20
#define MAX_SERVICE_DATA_SIZE 11
esp_ble_adv_data_t adv_data; // data that will be advertised
byte dataBuffer[50];
byte dataBuffer2[50];
// Standard parameters
static esp_ble_adv_data_t _adv_config = {
.set_scan_rsp = false,
.include_name = false,
.include_txpower = false,
/*.min_interval = 512,
.max_interval = 1024, */
.appearance = 0,
.manufacturer_len = 0,
.p_manufacturer_data = NULL,
.service_data_len = 0,
.p_service_data = NULL,
.service_uuid_len = 0,
.p_service_uuid = NULL,
.flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT)
};
//
static esp_ble_adv_params_t _adv_params = {
.adv_int_min = 100,
.adv_int_max = 100,
.adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this
parameter here: https://www.esp32.com/viewtopic.php?t=2267
.own_addr_type = BLE_ADDR_TYPE_PUBLIC,
.peer_addr = {0x00, },
.peer_addr_type = BLE_ADDR_TYPE_PUBLIC,
.channel_map = ADV_CHNL_ALL,
.adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY,
};
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){
esp_ble_gap_start_advertising(&_adv_params);
}
}
static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
if(!btStarted() && !btStart()){
log_e("btStart failed");
return false;
}
esp_bluedroid_status_t bt_state = esp_bluedroid_get_status();
if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){
if (esp_bluedroid_init()) {
log_e("esp_bluedroid_init failed");
return false;
}
}
if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){
if (esp_bluedroid_enable()) {
log_e("esp_bluedroid_enable failed");
return false;
}
}
if(esp_ble_gap_set_device_name(name)){
log_e("gap_set_device_name failed");
return false;
}
if(esp_ble_gap_config_adv_data(adv_data)){
log_e("gap_config_adv_data failed");
return false;
}
if(esp_ble_gap_register_callback(_on_gap)){
log_e("gap_register_callback failed");
return false;
}
return true;
}
static bool _stop_gap()
{
if(btStarted()){
esp_bluedroid_disable();
esp_bluedroid_deinit();
btStop();
}
return true;
}
/*
* BLE Arduino
*
* */
SimpleBLE::SimpleBLE()
{
local_name = "esp32";
adv_data = {
.set_scan_rsp = false,
.include_name = false,
.include_txpower = false,
.appearance = 0,
.manufacturer_len = 0,
.p_manufacturer_data = NULL, //manufacturer data is what we will use to
broadcast our info
.service_data_len = 0,
.p_service_data = NULL,
.service_uuid_len = 0,
.p_service_uuid = NULL,
.flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1))
};
}
SimpleBLE::~SimpleBLE(void)
{
clearAdvertiseData();
_stop_gap();
}
bool SimpleBLE::begin(String localName)
{
if(localName.length()){
local_name = localName;
}
return _init_gap(local_name.c_str(), &_adv_config);
}
void SimpleBLE::end()
{
_stop_gap();
}
bool SimpleBLE::advertise(String data) {
data.getBytes(dataBuffer, data.length()+1);
return advertise(dataBuffer, data.length());
}
bool SimpleBLE::advertise(byte* data, int size) {
clearAdvertiseData();
fillManufacturerData(data, size);
return _init_gap(local_name.c_str(), &adv_data);
}
bool SimpleBLE::serviceAdvertise(String data) {
data.getBytes(dataBuffer, data.length()+1);
return serviceAdvertise(dataBuffer, data.length());
}
bool SimpleBLE::serviceAdvertise(byte* data, int size) {
clearAdvertiseData();
fillServiceData(data, size);
return _init_gap(local_name.c_str(), &adv_data);
}
void SimpleBLE::clearAdvertiseData() {
if(adv_data.p_manufacturer_data != NULL) {
free(adv_data.p_manufacturer_data);
adv_data.p_manufacturer_data = NULL;
adv_data.manufacturer_len = 0;
}
if(adv_data.p_service_data != NULL) {
free(adv_data.p_service_data);
adv_data.p_service_data = NULL;
adv_data.service_data_len = 0;
}
}
void SimpleBLE::fillManufacturerData(byte* data, int size) {
if(size > MAX_MANUFACTURER_DATA_SIZE)
size = MAX_MANUFACTURER_DATA_SIZE;
adv_data.p_manufacturer_data = (uint8_t *) malloc(size*sizeof(uint8_t));
adv_data.manufacturer_len = size;
memcpy(adv_data.p_manufacturer_data, data, size);
}
void SimpleBLE::fillServiceData(byte* data, int size) {
if(size > MAX_SERVICE_DATA_SIZE)
size = MAX_SERVICE_DATA_SIZE;
adv_data.p_service_data = (uint8_t *) malloc(size*sizeof(uint8_t));
adv_data.service_data_len = size;
memcpy(adv_data.p_service_data, data, size);
}
When I add these, I get the following errors during compile:
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
error: variable or field '_on_gap' declared void
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
error: 'esp_gap_ble_cb_event_t' was not declared in this scope
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
note: suggested alternative: 'wifi_prov_cb_event_t'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
wifi_prov_cb_event_t
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:
error: 'esp_ble_gap_cb_param_t' was not declared in this scope
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:
note: suggested alternative: 'esp_sleep_source_t'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
esp_sleep_source_t
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:
error: 'param' was not declared in this scope
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:
note: suggested alternative: 'Stream'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~
Stream
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42:
error: 'esp_ble_adv_data_t' has not been declared
static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
^~~~~~~~~~~~~~~~~~
Multiple libraries were found for "WiFi.h"
Used:
C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi
Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi
exit status 1
Compilation error: variable or field '_on_gap' declared void
From: jjdb210 ***@***.***>
Sent: 28 Temmuz 2024 Pazar 19:20
To: jjdb210/CheesyNipClicker ***@***.***>
Cc: ilker Aktuna ***@***.***>; Author ***@***.***>
Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth
codes (Issue #1)
Better way to communicate would be to directly email ***@***.*** <mailto:***@***.***>
As far as decyrpting/figuring out what is going on - You might want to
take
a look at:
https://github.com/DigitalSecurity/btlejuice
As far as Alexa - There was supposed to be a triva game that integrated
with the bands that was going to be integrated with Alexa's "Hey Disney"
feature. They released Hey Disney a little over a year ago now, and it
still has no magicband+ support as far as I'm aware. It's funny, because
the MagicBand+ boxes still contain the Amazon Alexa logo on the side of
them, despite thie feature still not being released. The only thing that I
have at home to Mitm with is my phone, and I'm not 100% certain that's
using the BLE features at this point... I haven't jumped down that road,
but hope to do that soon.
I have code for both a transmitter and a receiver. I just uploaded the
transmitter code to Github:
https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino
The code has a bunch of stuff involving buttons for a wand I built, and
was
originally built for a Xiao ESP32c3. I'm not sure how cross compatible it
is, but hopefully it works for you. That said, there is a debug tool I put
into it that allows you to send codes directly over serial... So once,
it's
loaded into the chip, open the console and paste one of the codes into the
serial prompt with your magic band on... For example, if you put in:
8301e100e905006f0ef5b0
it should cause all magicband+ in the area to glow red. A breakdown of the
code can be found here:
https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen
to
figure out any additional details while your playing around.. For example,
how the timing bits work (I know they exist, I just haven't had time to
iterate though and see how they behave), I'd love to get that added to the
documentation/wiki.
To your last question: I don't believe that there is anyway to use
broadcast messages to hit a single magicband. I have not seen any signs of
this either in implementation in the parks, or in any of the data that
I've
sniffed.. with maybe 1 small exception... There is what I believe to be a
tracking ping disney sends out that the magic bands respond to... but this
doesn't contain any light up functionality.
Justin Gehring
***@***.*** <mailto:***@***.***>
On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna ***@***.*** <mailto:***@***.***>
>
wrote:
> Hi,
>
> Thanks for your quick response. How can we contact directly ? (Using
this
> issue thread under an unrelated github repository is not the best method
I
> believe)
>
> I have a bluetooth sniffer , so I am now trying to sniff between my
phone
> (Disney app) and the magicband.
> Unfortunately I could not decrypt the packets. If you have experience on
> this, maybe you can help me with that.
> Please see here, my question:
>
>
https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk
>
> About broadcast messages; I don't have any experience. And I really
don't
> know the usage of hcitool
> So if you can describe me what these parameters are (which one is the
> address , service, characteristic etc.) , maybe I can try to replicate
them
> on Arduino , or Java.
>
> hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff *83 01* e9 0c 00 0f 0f
5d
> 46 5b f0 05 32 37 48 95 cf 8a ad
>
> If Arduino is able to do this, at least I can use broadcast until I
> discover the codes for unicast (direct) commands.
>
> And lastly, what do you mean by " I was really hoping the Alexa
> integration would have come out by
> now" ?
> Is there an expected Alexa integration for Magicband+ ?
>
> —
> Reply to this email directly, view it on GitHub
> <
#1 (comment)>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4>
> .
> You are receiving this because you commented.Message ID:
> ***@***.*** <mailto:***@***.***> >
>
—
Reply to this email directly, view it on GitHub <
#1 (comment)>
, or unsubscribe <
https://github.com/notifications/unsubscribe-auth/AMIGSAS7FUMLMIB2XTMWLXDZOUK4HAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TCMJSGM>
.
You are receiving this because you authored the thread. <
https://github.com/notifications/beacon/AMIGSAUB6SZ5PTN5PBDH6GTZOUK4HA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGMIDHG.gif>
Message ID: ***@***.*** ***@***.***> >
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPAOFNWA7XFGLQSMBQLZO2L5JAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG43DQNRRHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Hi,
I’ve solved the issue about compile. Now it compiles, but together with my code it gets too big, and I get the following error:
Sketch uses 1555953 bytes (118%) of program storage space. Maximum is 1310720 bytes.
Global variables use 61080 bytes (18%) of dynamic memory, leaving 266600 bytes for local variables. Maximum is 327680 bytes.
Generic BLE libraries take too much space. I know that because before I had similar issues.
As a solution, I had found an optimized library named NimBLE.
With that library in fact it is easy to create an advertisement, such as:
#include "NimBLEDevice.h"
std::string advDataString = /* Length */ "\x1E"
/* Flags */ "\x02\x01\x1A"
/* Manufacturer info */ "\x1A\xFF"
/* Custom data */ "\x83\x01\xE9\x0C\x00\x0F\x0F\x5D\x46\x5B\xF0\x05\x32\x37\x48\x95\xCF\x8A\xAD";
NimBLEDevice::init("disney");
NimBLEAdvertising *pAdvertising = NimBLEDevice::getAdvertising(); // create advertising instance
NimBLEAdvertisementData advertisementData;
advertisementData.setManufacturerData(advDataString); // Set the advertisement data
pAdvertising->setAdvertisementData(advertisementData);
pAdvertising->addServiceUUID("ABCD");
pAdvertising->start(); // start advertising
but this did not make any change on the magicband.
Do you see what I am missing here ?
Thanks
From: jjdb210 ***@***.***>
Sent: 29 Temmuz 2024 Pazartesi 23:05
To: jjdb210/CheesyNipClicker ***@***.***>
Cc: ilker Aktuna ***@***.***>; Author ***@***.***>
Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth codes (Issue #1)
I see github stripped my email out... to communicate via email so we don't
have to deal with that part of the problem, you can email justin at jrcorps
dot com.
That said, 2 questions
1) Did you try running the code i have as-is first? Just to make sure it
works with your transmitter setup? IE: could you send signals from the
console?
2) What version of the IDE are you using? I believe this was originally
written for 2.2.1 which shouldn't matter a ton, but might be part of it. We
might also not be using the same bluetooth libraries.... I believe my
includes might be coming from NimBLE-Arduino by H2zero (avaiable in the
library manager I believe).
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.*** <mailto:***@***.***>
On Mon, Jul 29, 2024 at 2:47 PM ilker Aktuna ***@***.*** <mailto:***@***.***> >
wrote:
Thanks.
I am trying to get parts of your code to use in my sketch. But I am
confused.
To call your class, I have to use the following code:
SimpleBLE ble;
std::string advertisingdata;
advertisingdata = "8301e100e905006f0ef5b0";
advertisingdata = message;
len = advertisingdata.length();
//Serial.printf("AD Length IS: %i \n", len);
for(char i = 0; i < len; i++){
byte extract;
char a = advertisingdata[2*i];
char b = advertisingdata[2*i + 1];
extract = convertCharToHex(a)<<4 | convertCharToHex(b);
raw[i] = extract;
}
ble.begin("");
ble.advertise(raw,len);
But I have to add the class to my code. So I also have to include:
class SimpleBLE {
public:
SimpleBLE(void);
~SimpleBLE(void);
/**
* Start BLE Advertising
*
* @param[in] localName local name to advertise
*
* @return true on success
*
*/
bool begin(String localName=String());
/**
* Advertises data on Manufacturer Data field
*
* @param[in] data String with the message to be transmitted
*
* @return true on success
*
*/
bool advertise(String data);
/**
* Advertises data on Manufacturer Data field
*
* @param[in] data byte array with the message to be transmitted
*
* @param[in] size size of the byte array
*
* @return true on success
*
*/
bool advertise(byte* data, int size);
/**
* Advertises data on Service Data field
*
* @param[in] data String with the message to be transmitted
*
* @return true on success
*
*/
bool serviceAdvertise(String data);
/**
* Advertises data on Service Data field
*
* @param[in] data byte array with the message to be transmitted
*
* @param[in] size size of the byte array
*
* @return true on success
*
*/
bool serviceAdvertise(byte* data, int size);
//bool advertise(byte* data_man, int size_man, byte* data_ser, int
size_ser);
//bool advertise(String data_man, String data_ser);
/**
* Stop BLE Advertising
*
* @return none
*/
void end(void);
private:
void clearAdvertiseData();
void fillManufacturerData(byte* data, int size);
void fillServiceData(byte* data, int size);
private:
String local_name;
private:
};
#include "esp32-hal-log.h"
#include "esp_bt.h"
#include "esp_gap_ble_api.h"
#include "esp_gatts_api.h"
#include "esp_bt_defs.h"
#include "esp_bt_main.h"
#define MAX_MANUFACTURER_DATA_SIZE 20
#define MAX_SERVICE_DATA_SIZE 11
esp_ble_adv_data_t adv_data; // data that will be advertised
byte dataBuffer[50];
byte dataBuffer2[50];
// Standard parameters
static esp_ble_adv_data_t _adv_config = {
.set_scan_rsp = false,
.include_name = false,
.include_txpower = false,
/*.min_interval = 512,
.max_interval = 1024, */
.appearance = 0,
.manufacturer_len = 0,
.p_manufacturer_data = NULL,
.service_data_len = 0,
.p_service_data = NULL,
.service_uuid_len = 0,
.p_service_uuid = NULL,
.flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT)
};
//
static esp_ble_adv_params_t _adv_params = {
.adv_int_min = 100,
.adv_int_max = 100,
.adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this
parameter here: https://www.esp32.com/viewtopic.php?t=2267
.own_addr_type = BLE_ADDR_TYPE_PUBLIC,
.peer_addr = {0x00, },
.peer_addr_type = BLE_ADDR_TYPE_PUBLIC,
.channel_map = ADV_CHNL_ALL,
.adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY,
};
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){
esp_ble_gap_start_advertising(&_adv_params);
}
}
static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
if(!btStarted() && !btStart()){
log_e("btStart failed");
return false;
}
esp_bluedroid_status_t bt_state = esp_bluedroid_get_status();
if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){
if (esp_bluedroid_init()) {
log_e("esp_bluedroid_init failed");
return false;
}
}
if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){
if (esp_bluedroid_enable()) {
log_e("esp_bluedroid_enable failed");
return false;
}
}
if(esp_ble_gap_set_device_name(name)){
log_e("gap_set_device_name failed");
return false;
}
if(esp_ble_gap_config_adv_data(adv_data)){
log_e("gap_config_adv_data failed");
return false;
}
if(esp_ble_gap_register_callback(_on_gap)){
log_e("gap_register_callback failed");
return false;
}
return true;
}
static bool _stop_gap()
{
if(btStarted()){
esp_bluedroid_disable();
esp_bluedroid_deinit();
btStop();
}
return true;
}
/*
* BLE Arduino
*
* */
SimpleBLE::SimpleBLE()
{
local_name = "esp32";
adv_data = {
.set_scan_rsp = false,
.include_name = false,
.include_txpower = false,
.appearance = 0,
.manufacturer_len = 0,
.p_manufacturer_data = NULL, //manufacturer data is what we will use to
broadcast our info
.service_data_len = 0,
.p_service_data = NULL,
.service_uuid_len = 0,
.p_service_uuid = NULL,
.flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1))
};
}
SimpleBLE::~SimpleBLE(void)
{
clearAdvertiseData();
_stop_gap();
}
bool SimpleBLE::begin(String localName)
{
if(localName.length()){
local_name = localName;
}
return _init_gap(local_name.c_str(), &_adv_config);
}
void SimpleBLE::end()
{
_stop_gap();
}
bool SimpleBLE::advertise(String data) {
data.getBytes(dataBuffer, data.length()+1);
return advertise(dataBuffer, data.length());
}
bool SimpleBLE::advertise(byte* data, int size) {
clearAdvertiseData();
fillManufacturerData(data, size);
return _init_gap(local_name.c_str(), &adv_data);
}
bool SimpleBLE::serviceAdvertise(String data) {
data.getBytes(dataBuffer, data.length()+1);
return serviceAdvertise(dataBuffer, data.length());
}
bool SimpleBLE::serviceAdvertise(byte* data, int size) {
clearAdvertiseData();
fillServiceData(data, size);
return _init_gap(local_name.c_str(), &adv_data);
}
void SimpleBLE::clearAdvertiseData() {
if(adv_data.p_manufacturer_data != NULL) {
free(adv_data.p_manufacturer_data);
adv_data.p_manufacturer_data = NULL;
adv_data.manufacturer_len = 0;
}
if(adv_data.p_service_data != NULL) {
free(adv_data.p_service_data);
adv_data.p_service_data = NULL;
adv_data.service_data_len = 0;
}
}
void SimpleBLE::fillManufacturerData(byte* data, int size) {
if(size > MAX_MANUFACTURER_DATA_SIZE)
size = MAX_MANUFACTURER_DATA_SIZE;
adv_data.p_manufacturer_data = (uint8_t *) malloc(size*sizeof(uint8_t));
adv_data.manufacturer_len = size;
memcpy(adv_data.p_manufacturer_data, data, size);
}
void SimpleBLE::fillServiceData(byte* data, int size) {
if(size > MAX_SERVICE_DATA_SIZE)
size = MAX_SERVICE_DATA_SIZE;
adv_data.p_service_data = (uint8_t *) malloc(size*sizeof(uint8_t));
adv_data.service_data_len = size;
memcpy(adv_data.p_service_data, data, size);
}
When I add these, I get the following errors during compile:
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
error: variable or field '_on_gap' declared void
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
error: 'esp_gap_ble_cb_event_t' was not declared in this scope
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
note: suggested alternative: 'wifi_prov_cb_event_t'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
wifi_prov_cb_event_t
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:
error: 'esp_ble_gap_cb_param_t' was not declared in this scope
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:
note: suggested alternative: 'esp_sleep_source_t'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~~~~~~~~~~~~~~~~~~
esp_sleep_source_t
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:
error: 'param' was not declared in this scope
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:
note: suggested alternative: 'Stream'
static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
*param){
^~~~~
Stream
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42:
error: 'esp_ble_adv_data_t' has not been declared
static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
^~~~~~~~~~~~~~~~~~
Multiple libraries were found for "WiFi.h"
Used:
C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi
Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi
exit status 1
Compilation error: variable or field '_on_gap' declared void
From: jjdb210 ***@***.*** <mailto:***@***.***> >
Sent: 28 Temmuz 2024 Pazar 19:20
To: jjdb210/CheesyNipClicker ***@***.*** <mailto:***@***.***> >
Cc: ilker Aktuna ***@***.*** <mailto:***@***.***> >; Author ***@***.*** <mailto:***@***.***> >
Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth
codes (Issue #1)
Better way to communicate would be to directly email ***@***.*** <mailto:***@***.***> <mailto:***@***.***>
As far as decyrpting/figuring out what is going on - You might want to
take
a look at:
https://github.com/DigitalSecurity/btlejuice
As far as Alexa - There was supposed to be a triva game that integrated
with the bands that was going to be integrated with Alexa's "Hey Disney"
feature. They released Hey Disney a little over a year ago now, and it
still has no magicband+ support as far as I'm aware. It's funny, because
the MagicBand+ boxes still contain the Amazon Alexa logo on the side of
them, despite thie feature still not being released. The only thing that I
have at home to Mitm with is my phone, and I'm not 100% certain that's
using the BLE features at this point... I haven't jumped down that road,
but hope to do that soon.
I have code for both a transmitter and a receiver. I just uploaded the
transmitter code to Github:
https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino
The code has a bunch of stuff involving buttons for a wand I built, and
was
originally built for a Xiao ESP32c3. I'm not sure how cross compatible it
is, but hopefully it works for you. That said, there is a debug tool I put
into it that allows you to send codes directly over serial... So once,
it's
loaded into the chip, open the console and paste one of the codes into the
serial prompt with your magic band on... For example, if you put in:
8301e100e905006f0ef5b0
it should cause all magicband+ in the area to glow red. A breakdown of the
code can be found here:
https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen
to
figure out any additional details while your playing around.. For example,
how the timing bits work (I know they exist, I just haven't had time to
iterate though and see how they behave), I'd love to get that added to the
documentation/wiki.
To your last question: I don't believe that there is anyway to use
broadcast messages to hit a single magicband. I have not seen any signs of
this either in implementation in the parks, or in any of the data that
I've
sniffed.. with maybe 1 small exception... There is what I believe to be a
tracking ping disney sends out that the magic bands respond to... but this
doesn't contain any light up functionality.
Justin Gehring
***@***.*** <mailto:***@***.***> <mailto:***@***.***>
On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna ***@***.*** <mailto:***@***.***> <mailto:***@***.***>
>
wrote:
> Hi,
>
> Thanks for your quick response. How can we contact directly ? (Using
this
> issue thread under an unrelated github repository is not the best method
I
> believe)
>
> I have a bluetooth sniffer , so I am now trying to sniff between my
phone
> (Disney app) and the magicband.
> Unfortunately I could not decrypt the packets. If you have experience on
> this, maybe you can help me with that.
> Please see here, my question:
>
>
https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk
>
> About broadcast messages; I don't have any experience. And I really
don't
> know the usage of hcitool
> So if you can describe me what these parameters are (which one is the
> address , service, characteristic etc.) , maybe I can try to replicate
them
> on Arduino , or Java.
>
> hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff *83 01* e9 0c 00 0f 0f
5d
> 46 5b f0 05 32 37 48 95 cf 8a ad
>
> If Arduino is able to do this, at least I can use broadcast until I
> discover the codes for unicast (direct) commands.
>
> And lastly, what do you mean by " I was really hoping the Alexa
> integration would have come out by
> now" ?
> Is there an expected Alexa integration for Magicband+ ?
>
> —
> Reply to this email directly, view it on GitHub
> <
#1 (comment)>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4>
> .
> You are receiving this because you commented.Message ID:
> ***@***.*** <mailto:***@***.***> <mailto:***@***.***> >
>
—
Reply to this email directly, view it on GitHub <
#1 (comment)>
, or unsubscribe <
https://github.com/notifications/unsubscribe-auth/AMIGSAS7FUMLMIB2XTMWLXDZOUK4HAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TCMJSGM>
.
You are receiving this because you authored the thread. <
https://github.com/notifications/beacon/AMIGSAUB6SZ5PTN5PBDH6GTZOUK4HA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGMIDHG.gif>
Message ID: ***@***.*** <mailto:***@***.***> ***@***.*** <mailto:***@***.***> > >
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPAOFNWA7XFGLQSMBQLZO2L5JAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG43DQNRRHA>
.
You are receiving this because you commented.Message ID:
***@***.*** <mailto:***@***.***> >
—
Reply to this email directly, view it on GitHub <#1 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMIGSAUZG2XEAMPC3I2654DZO2N5RAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG44TMNRWGQ> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AMIGSAXIY74CG5EBGBKH4NTZO2N5RA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGQP57Q.gif> Message ID: ***@***.*** ***@***.***> >
|
|
Try moving the 8301 to the manufacturing info and out of the data packet.
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
On Mon, Jul 29, 2024 at 3:15 PM ilker Aktuna ***@***.***>
wrote:
… Hi,
I’ve solved the issue about compile. Now it compiles, but together with my
code it gets too big, and I get the following error:
Sketch uses 1555953 bytes (118%) of program storage space. Maximum is
1310720 bytes.
Global variables use 61080 bytes (18%) of dynamic memory, leaving 266600
bytes for local variables. Maximum is 327680 bytes.
Generic BLE libraries take too much space. I know that because before I
had similar issues.
As a solution, I had found an optimized library named NimBLE.
With that library in fact it is easy to create an advertisement, such as:
#include "NimBLEDevice.h"
std::string advDataString = /* Length */ "\x1E"
/* Flags */ "\x02\x01\x1A"
/* Manufacturer info */ "\x1A\xFF"
/* Custom data */
"\x83\x01\xE9\x0C\x00\x0F\x0F\x5D\x46\x5B\xF0\x05\x32\x37\x48\x95\xCF\x8A\xAD";
NimBLEDevice::init("disney");
NimBLEAdvertising *pAdvertising = NimBLEDevice::getAdvertising(); //
create advertising instance
NimBLEAdvertisementData advertisementData;
advertisementData.setManufacturerData(advDataString); // Set the
advertisement data
pAdvertising->setAdvertisementData(advertisementData);
pAdvertising->addServiceUUID("ABCD");
pAdvertising->start(); // start advertising
but this did not make any change on the magicband.
Do you see what I am missing here ?
Thanks
From: jjdb210 ***@***.***>
Sent: 29 Temmuz 2024 Pazartesi 23:05
To: jjdb210/CheesyNipClicker ***@***.***>
Cc: ilker Aktuna ***@***.***>; Author ***@***.***>
Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth
codes (Issue #1)
I see github stripped my email out... to communicate via email so we don't
have to deal with that part of the problem, you can email justin at
jrcorps
dot com.
That said, 2 questions
1) Did you try running the code i have as-is first? Just to make sure it
works with your transmitter setup? IE: could you send signals from the
console?
2) What version of the IDE are you using? I believe this was originally
written for 2.2.1 which shouldn't matter a ton, but might be part of it.
We
might also not be using the same bluetooth libraries.... I believe my
includes might be coming from NimBLE-Arduino by H2zero (avaiable in the
library manager I believe).
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.*** <mailto:***@***.***>
On Mon, Jul 29, 2024 at 2:47 PM ilker Aktuna ***@***.*** <mailto:***@***.***>
>
wrote:
> Thanks.
>
> I am trying to get parts of your code to use in my sketch. But I am
> confused.
>
> To call your class, I have to use the following code:
>
> SimpleBLE ble;
>
> std::string advertisingdata;
>
>
>
> advertisingdata = "8301e100e905006f0ef5b0";
>
>
>
> advertisingdata = message;
>
> len = advertisingdata.length();
>
> //Serial.printf("AD Length IS: %i \n", len);
>
> for(char i = 0; i < len; i++){
>
> byte extract;
>
> char a = advertisingdata[2*i];
>
> char b = advertisingdata[2*i + 1];
>
> extract = convertCharToHex(a)<<4 | convertCharToHex(b);
>
> raw[i] = extract;
>
> }
>
> ble.begin("");
>
> ble.advertise(raw,len);
>
>
>
> But I have to add the class to my code. So I also have to include:
>
>
>
>
>
> class SimpleBLE {
>
> public:
>
>
>
> SimpleBLE(void);
>
> ~SimpleBLE(void);
>
>
>
> /**
>
> * Start BLE Advertising
>
> *
>
> * @param[in] localName local name to advertise
>
> *
>
> * @return true on success
>
> *
>
> */
>
> bool begin(String localName=String());
>
>
>
> /**
>
> * Advertises data on Manufacturer Data field
>
> *
>
> * @param[in] data String with the message to be transmitted
>
> *
>
> * @return true on success
>
> *
>
> */
>
> bool advertise(String data);
>
>
>
> /**
>
> * Advertises data on Manufacturer Data field
>
> *
>
> * @param[in] data byte array with the message to be transmitted
>
> *
>
> * @param[in] size size of the byte array
>
> *
>
> * @return true on success
>
> *
>
> */
>
> bool advertise(byte* data, int size);
>
>
>
> /**
>
> * Advertises data on Service Data field
>
> *
>
> * @param[in] data String with the message to be transmitted
>
> *
>
> * @return true on success
>
> *
>
> */
>
> bool serviceAdvertise(String data);
>
>
>
> /**
>
> * Advertises data on Service Data field
>
> *
>
> * @param[in] data byte array with the message to be transmitted
>
> *
>
> * @param[in] size size of the byte array
>
> *
>
> * @return true on success
>
> *
>
> */
>
> bool serviceAdvertise(byte* data, int size);
>
>
>
> //bool advertise(byte* data_man, int size_man, byte* data_ser, int
> size_ser);
>
>
>
> //bool advertise(String data_man, String data_ser);
>
>
>
> /**
>
> * Stop BLE Advertising
>
> *
>
> * @return none
>
> */
>
> void end(void);
>
>
>
> private:
>
> void clearAdvertiseData();
>
>
>
> void fillManufacturerData(byte* data, int size);
>
>
>
> void fillServiceData(byte* data, int size);
>
>
>
>
>
>
>
> private:
>
> String local_name;
>
> private:
>
>
>
> };
>
>
>
> #include "esp32-hal-log.h"
>
>
>
> #include "esp_bt.h"
>
> #include "esp_gap_ble_api.h"
>
> #include "esp_gatts_api.h"
>
> #include "esp_bt_defs.h"
>
> #include "esp_bt_main.h"
>
>
>
> #define MAX_MANUFACTURER_DATA_SIZE 20
>
> #define MAX_SERVICE_DATA_SIZE 11
>
>
>
> esp_ble_adv_data_t adv_data; // data that will be advertised
>
> byte dataBuffer[50];
>
> byte dataBuffer2[50];
>
>
>
> // Standard parameters
>
> static esp_ble_adv_data_t _adv_config = {
>
> .set_scan_rsp = false,
>
> .include_name = false,
>
> .include_txpower = false,
>
> /*.min_interval = 512,
>
> .max_interval = 1024, */
>
> .appearance = 0,
>
> .manufacturer_len = 0,
>
> .p_manufacturer_data = NULL,
>
> .service_data_len = 0,
>
> .p_service_data = NULL,
>
> .service_uuid_len = 0,
>
> .p_service_uuid = NULL,
>
> .flag = (ESP_BLE_ADV_FLAG_NON_LIMIT_DISC|ESP_BLE_ADV_FLAG_BREDR_NOT_SPT)
>
> };
>
>
>
>
>
> //
>
> static esp_ble_adv_params_t _adv_params = {
>
> .adv_int_min = 100,
>
> .adv_int_max = 100,
>
> .adv_type = ADV_TYPE_NONCONN_IND, // Excelent description of this
> parameter here: https://www.esp32.com/viewtopic.php?t=2267
>
> .own_addr_type = BLE_ADDR_TYPE_PUBLIC,
>
> .peer_addr = {0x00, },
>
> .peer_addr_type = BLE_ADDR_TYPE_PUBLIC,
>
> .channel_map = ADV_CHNL_ALL,
>
> .adv_filter_policy = ADV_FILTER_ALLOW_SCAN_ANY_CON_ANY,
>
> };
>
>
>
> static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
> *param){
>
> if(event == ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT){
>
> esp_ble_gap_start_advertising(&_adv_params);
>
> }
>
> }
>
>
>
> static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
>
> if(!btStarted() && !btStart()){
>
> log_e("btStart failed");
>
> return false;
>
> }
>
> esp_bluedroid_status_t bt_state = esp_bluedroid_get_status();
>
> if(bt_state == ESP_BLUEDROID_STATUS_UNINITIALIZED){
>
> if (esp_bluedroid_init()) {
>
> log_e("esp_bluedroid_init failed");
>
> return false;
>
> }
>
> }
>
> if(bt_state != ESP_BLUEDROID_STATUS_ENABLED){
>
> if (esp_bluedroid_enable()) {
>
> log_e("esp_bluedroid_enable failed");
>
> return false;
>
> }
>
> }
>
> if(esp_ble_gap_set_device_name(name)){
>
> log_e("gap_set_device_name failed");
>
> return false;
>
> }
>
> if(esp_ble_gap_config_adv_data(adv_data)){
>
> log_e("gap_config_adv_data failed");
>
> return false;
>
> }
>
> if(esp_ble_gap_register_callback(_on_gap)){
>
> log_e("gap_register_callback failed");
>
> return false;
>
> }
>
> return true;
>
> }
>
>
>
> static bool _stop_gap()
>
> {
>
> if(btStarted()){
>
> esp_bluedroid_disable();
>
> esp_bluedroid_deinit();
>
> btStop();
>
> }
>
> return true;
>
> }
>
>
>
> /*
>
> * BLE Arduino
>
> *
>
> * */
>
>
>
> SimpleBLE::SimpleBLE()
>
> {
>
> local_name = "esp32";
>
> adv_data = {
>
> .set_scan_rsp = false,
>
> .include_name = false,
>
> .include_txpower = false,
>
> .appearance = 0,
>
> .manufacturer_len = 0,
>
> .p_manufacturer_data = NULL, //manufacturer data is what we will use to
> broadcast our info
>
> .service_data_len = 0,
>
> .p_service_data = NULL,
>
> .service_uuid_len = 0,
>
> .p_service_uuid = NULL,
>
> .flag = (ESP_BLE_ADV_FLAG_BREDR_NOT_SPT|(0x1 << 1))
>
> };
>
> }
>
>
>
> SimpleBLE::~SimpleBLE(void)
>
> {
>
> clearAdvertiseData();
>
> _stop_gap();
>
> }
>
>
>
> bool SimpleBLE::begin(String localName)
>
> {
>
> if(localName.length()){
>
> local_name = localName;
>
> }
>
> return _init_gap(local_name.c_str(), &_adv_config);
>
> }
>
>
>
> void SimpleBLE::end()
>
> {
>
> _stop_gap();
>
> }
>
>
>
> bool SimpleBLE::advertise(String data) {
>
> data.getBytes(dataBuffer, data.length()+1);
>
> return advertise(dataBuffer, data.length());
>
> }
>
>
>
> bool SimpleBLE::advertise(byte* data, int size) {
>
> clearAdvertiseData();
>
> fillManufacturerData(data, size);
>
> return _init_gap(local_name.c_str(), &adv_data);
>
> }
>
>
>
> bool SimpleBLE::serviceAdvertise(String data) {
>
> data.getBytes(dataBuffer, data.length()+1);
>
> return serviceAdvertise(dataBuffer, data.length());
>
> }
>
>
>
> bool SimpleBLE::serviceAdvertise(byte* data, int size) {
>
> clearAdvertiseData();
>
> fillServiceData(data, size);
>
> return _init_gap(local_name.c_str(), &adv_data);
>
> }
>
>
>
> void SimpleBLE::clearAdvertiseData() {
>
> if(adv_data.p_manufacturer_data != NULL) {
>
> free(adv_data.p_manufacturer_data);
>
> adv_data.p_manufacturer_data = NULL;
>
> adv_data.manufacturer_len = 0;
>
> }
>
> if(adv_data.p_service_data != NULL) {
>
> free(adv_data.p_service_data);
>
> adv_data.p_service_data = NULL;
>
> adv_data.service_data_len = 0;
>
> }
>
> }
>
>
>
> void SimpleBLE::fillManufacturerData(byte* data, int size) {
>
> if(size > MAX_MANUFACTURER_DATA_SIZE)
>
> size = MAX_MANUFACTURER_DATA_SIZE;
>
> adv_data.p_manufacturer_data = (uint8_t *) malloc(size*sizeof(uint8_t));
>
> adv_data.manufacturer_len = size;
>
> memcpy(adv_data.p_manufacturer_data, data, size);
>
> }
>
>
>
> void SimpleBLE::fillServiceData(byte* data, int size) {
>
> if(size > MAX_SERVICE_DATA_SIZE)
>
> size = MAX_SERVICE_DATA_SIZE;
>
> adv_data.p_service_data = (uint8_t *) malloc(size*sizeof(uint8_t));
>
> adv_data.service_data_len = size;
>
> memcpy(adv_data.p_service_data, data, size);
>
> }
>
>
>
> When I add these, I get the following errors during compile:
>
>
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
> error: variable or field '_on_gap' declared void
>
> static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
> *param){
>
> ^~~~~~~~~~~~~~~~~~~~~~
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
> error: 'esp_gap_ble_cb_event_t' was not declared in this scope
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:21:
> note: suggested alternative: 'wifi_prov_cb_event_t'
>
> static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
> *param){
>
> ^~~~~~~~~~~~~~~~~~~~~~
>
> wifi_prov_cb_event_t
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:
> error: 'esp_ble_gap_cb_param_t' was not declared in this scope
>
> static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
> *param){
>
> ^~~~~~~~~~~~~~~~~~~~~~
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:51:
> note: suggested alternative: 'esp_sleep_source_t'
>
> static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
> *param){
>
> ^~~~~~~~~~~~~~~~~~~~~~
>
> esp_sleep_source_t
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:
> error: 'param' was not declared in this scope
>
> static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
> *param){
>
> ^~~~~
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:438:75:
> note: suggested alternative: 'Stream'
>
> static void _on_gap(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t
> *param){
>
> ^~~~~
>
> Stream
>
>
C:\Users\ilker\Documents\Arduino\disney_magicband_nfc\disney_magicband_nfc.ino:444:42:
> error: 'esp_ble_adv_data_t' has not been declared
>
> static bool _init_gap(const char * name, esp_ble_adv_data_t* adv_data){
>
> ^~~~~~~~~~~~~~~~~~
>
> Multiple libraries were found for "WiFi.h"
>
> Used:
>
C:\Users\ilker\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.17\libraries\WiFi
>
>
> Not used: C:\Users\ilker\Documents\Arduino\libraries\WiFi
>
> exit status 1
>
>
>
> Compilation error: variable or field '_on_gap' declared void
>
>
>
> From: jjdb210 ***@***.*** <mailto:***@***.***> >
> Sent: 28 Temmuz 2024 Pazar 19:20
> To: jjdb210/CheesyNipClicker ***@***.*** <mailto:***@***.***> >
> Cc: ilker Aktuna ***@***.*** <mailto:***@***.***> >; Author ***@***.***
<mailto:***@***.***> >
> Subject: Re: [jjdb210/CheesyNipClicker] about Disney Magicband bluetooth
> codes (Issue #1)
>
>
>
> Better way to communicate would be to directly email ***@***.*** <mailto:***@***.***>
<mailto:***@***.***>
>
>
> As far as decyrpting/figuring out what is going on - You might want to
> take
> a look at:
> https://github.com/DigitalSecurity/btlejuice
>
> As far as Alexa - There was supposed to be a triva game that integrated
> with the bands that was going to be integrated with Alexa's "Hey Disney"
> feature. They released Hey Disney a little over a year ago now, and it
> still has no magicband+ support as far as I'm aware. It's funny, because
> the MagicBand+ boxes still contain the Amazon Alexa logo on the side of
> them, despite thie feature still not being released. The only thing that
I
> have at home to Mitm with is my phone, and I'm not 100% certain that's
> using the BLE features at this point... I haven't jumped down that road,
> but hope to do that soon.
>
> I have code for both a transmitter and a receiver. I just uploaded the
> transmitter code to Github:
>
>
https://github.com/jjdb210/Disney_BLE_Dress_Transmitter/blob/main/wand/wand.ino
>
> The code has a bunch of stuff involving buttons for a wand I built, and
> was
> originally built for a Xiao ESP32c3. I'm not sure how cross compatible
it
> is, but hopefully it works for you. That said, there is a debug tool I
put
> into it that allows you to send codes directly over serial... So once,
> it's
> loaded into the chip, open the console and paste one of the codes into
the
> serial prompt with your magic band on... For example, if you put in:
>
> 8301e100e905006f0ef5b0
>
> it should cause all magicband+ in the area to glow red. A breakdown of
the
> code can be found here:
> https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes - If you happen
> to
> figure out any additional details while your playing around.. For
example,
> how the timing bits work (I know they exist, I just haven't had time to
> iterate though and see how they behave), I'd love to get that added to
the
> documentation/wiki.
>
> To your last question: I don't believe that there is anyway to use
> broadcast messages to hit a single magicband. I have not seen any signs
of
> this either in implementation in the parks, or in any of the data that
> I've
> sniffed.. with maybe 1 small exception... There is what I believe to be
a
> tracking ping disney sends out that the magic bands respond to... but
this
> doesn't contain any light up functionality.
>
> Justin Gehring
> ***@***.*** <mailto:***@***.***> <mailto:***@***.***>
>
>
> On Sun, Jul 28, 2024 at 3:21 AM ilker Aktuna ***@***.*** <mailto:***@***.***>
<mailto:***@***.***>
> >
> wrote:
>
> > Hi,
> >
> > Thanks for your quick response. How can we contact directly ? (Using
> this
> > issue thread under an unrelated github repository is not the best
method
> I
> > believe)
> >
> > I have a bluetooth sniffer , so I am now trying to sniff between my
> phone
> > (Disney app) and the magicband.
> > Unfortunately I could not decrypt the packets. If you have experience
on
> > this, maybe you can help me with that.
> > Please see here, my question:
> >
> >
>
https://devzone.nordicsemi.com/f/nordic-q-a/113465/encrypted-packet-decrypted-incorrectly-bad-mic---how-to-get-ltk
> >
> > About broadcast messages; I don't have any experience. And I really
> don't
> > know the usage of hcitool
> > So if you can describe me what these parameters are (which one is the
> > address , service, characteristic etc.) , maybe I can try to replicate
> them
> > on Arduino , or Java.
> >
> > hcitool -i hci0 cmd 0x08 0x0008 1E 02 01 1A 1A ff *83 01* e9 0c 00 0f
0f
> 5d
> > 46 5b f0 05 32 37 48 95 cf 8a ad
> >
> > If Arduino is able to do this, at least I can use broadcast until I
> > discover the codes for unicast (direct) commands.
> >
> > And lastly, what do you mean by " I was really hoping the Alexa
> > integration would have come out by
> > now" ?
> > Is there an expected Alexa integration for Magicband+ ?
> >
> > —
> > Reply to this email directly, view it on GitHub
> > <
>
#1 (comment)>,
>
> > or unsubscribe
> > <
>
https://github.com/notifications/unsubscribe-auth/AFTUZPC5SKPNTJEADJBLQYTZOSSZJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TAOJSG4>
>
> > .
> > You are receiving this because you commented.Message ID:
> > ***@***.*** <mailto:***@***.***> <mailto:***@***.***> >
> >
>
>
>
> —
> Reply to this email directly, view it on GitHub <
>
#1 (comment)>
> , or unsubscribe <
>
https://github.com/notifications/unsubscribe-auth/AMIGSAS7FUMLMIB2XTMWLXDZOUK4HAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TCMJSGM>
> .
> You are receiving this because you authored the thread. <
>
https://github.com/notifications/beacon/AMIGSAUB6SZ5PTN5PBDH6GTZOUK4HA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGMIDHG.gif>
> Message ID: ***@***.*** <mailto:***@***.***> ***@***.*** <mailto:***@***.***>
> >
>
> —
> Reply to this email directly, view it on GitHub
> <
#1 (comment)>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AFTUZPAOFNWA7XFGLQSMBQLZO2L5JAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG43DQNRRHA>
> .
> You are receiving this because you commented.Message ID:
> ***@***.*** <mailto:***@***.***> >
>
—
Reply to this email directly, view it on GitHub <
#1 (comment)>
, or unsubscribe <
https://github.com/notifications/unsubscribe-auth/AMIGSAUZG2XEAMPC3I2654DZO2N5RAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWG44TMNRWGQ>
.
You are receiving this because you authored the thread. <
https://github.com/notifications/beacon/AMIGSAXIY74CG5EBGBKH4NTZO2N5RA5CNFSM6AAAAABLSGU2VGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUGQP57Q.gif>
Message ID: ***@***.*** ***@***.***> >
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPGCP3CBJD5F35B6GADZO2PG7AVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWHAYTINJXHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
do you mean like this : NimBLEDevice::init("disney"); |
|
that didn't change anything. I am looking at NimBLE reference here: there are setManufacturerData and setAdvertisementData methods but I am not sure how to use these in compliance with your recommendation. |
|
This might be hard to diagnose without being able to see the packet that is
being produced from something like wireshark. You may also run into
problems using this library due to the disney advertising packets
technically being out-of-spec.
In theory the manufacture data should be 8301. In some situations I've had
to enter it as 0183 depending on how the library is translating the little
endianness of it all.
The advertisement data should be then something like: e100e905006f0ef5b0
(that's a short enough code that it should work even if nimble requires it
to be in spec)
If you generate that packet and listen with your sniffer using something
like wireshark, I'd like to see the packet it generates and I might be able
to tell you then what's wrong.
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Mon, Jul 29, 2024 at 3:49 PM ilker Aktuna ***@***.***> wrote:
that didn't change anything.
I am looking at NimBLE reference here:
https://h2zero.github.io/NimBLE-Arduino/class_nim_b_l_e_advertising.html
there are setManufacturerData and setAdvertisementData methods but I am
not sure how to use these in compliance with your recommendation.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPGM6IOGO7LE6OGNHADZO2THDAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWHEZDCOJQHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
but I am checking your code and as far as I understand, your code is sending all data as manufacture data |
|
about sniffing; |
|
Noted. I'm going to try to get this working with Nimble on my stream here
in a few minutes. If time allows (I don't have a ton of time tonight), I'll
also take a stab at getting the gatt stuff worked out. If you want to chat
in real time, stop by! http://twitch.tv/jjdb210
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Mon, Jul 29, 2024 at 4:16 PM ilker Aktuna ***@***.***> wrote:
about sniffing;
I have a nrf 52840 bluetooth sniffer and I can sniff with it using
wireshark, but I don't know which packets are advertisement packets. I
mostly have experience with btatt protocol which is not advertisment.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPHH4R42LYDWDX3UASDZO2WLLAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJXGAZDGMBZHE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
This code should work:
#include <NimBLEDevice.h>
void setup() {
NimBLEDevice::init("");
NimBLEAdvertising *pAdvertising = NimBLEDevice::getAdvertising(); //
create advertising instance
//e100e905006f0ef5b0
uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x05, 0x00, 0x6f, 0x
0e, 0xf5, 0xb0};
NimBLEAdvertisementData oAdvertisementCustom = NimBLEAdvertisementData()
;
oAdvertisementCustom.setManufacturerData(std::string((char *)&Adv_DATA[0],
11));
pAdvertising->setAdvertisementData(oAdvertisementCustom);
pAdvertising->start(); // start advertising
}
void loop() {
// put your main code here, to run repeatedly:
}
If you want to see how i made it work (and maybe a little before this
timestamp):
https://www.twitch.tv/videos/2210748966?t=1h9m30s
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Mon, Jul 29, 2024 at 4:03 PM ilker Aktuna ***@***.***> wrote:
but I am checking your code and as far as I understand, your code is
sending all data as manufacture data
So as my example.
I don't see the difference.
But then both of them do not work for me. Maybe my magicband is a
different version ???
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPFVE5LDRWD42L3XQQ3ZO2UYRAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJWHE3TQMBXHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
this code seems to work (at least it does something, I didn't check if it was the correct behaviour) how do I turn off the leds now ? btw, I can't find your email address , so I am still writing here. |
|
I just made some more tests.
for example I tried:
any idea about what's happening ? |
|
Make sure if you change the size of the array, that you update the 11 to
the proper value of data being sent (same number of elements that is in the
array).
As far as the changing the code not changing the color... 2 notes on that:
1) Only 5 of the bits are being used, which makes the math a little
funny... I'm not sure which 5 off the top of my head... but based on it
being red... Try 5f and see what happens.
2) The other thing that *might* be happening, is if the beacon isn't
getting fully cleared, you might be still sending the red beacon, even
after sending something else... I'm not in a place I can test that at a
moment, but I'll see if I can rig up some other sample code. There's also a
timing variable, so it might be a really long red, so it may take a bit
before it refreshes. If the band leds are off though, it should grab the
code pretty quick.
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Tue, Jul 30, 2024 at 3:13 AM ilker Aktuna ***@***.***> wrote:
I just made some more tests.
The code you provide makes the band leds red.
But I have 2 issues:
1. it always makes the band "red" , I tried to change "6f" to other
colors but it always makes red. So I assume it is not working as expected.
uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x05, 0x00,
**0x6f**, 0x0e, 0xf5, 0xb0};
2. any other code I try from your examples, do not work
I tried:
//e100e9080065d255005500b0 - custom color
//uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x08, 0x00, 0x65, 0xd2, 0x55, 0x00, 0x55, 0x00, 0xb0};
//e9 0b 0b 0f 0f 5c 5d 48 a5 d1 45 32 05 - circle animation
//uint8_t Adv_DATA[] = {0x83, 0x01, 0xe1, 0x00, 0xe9, 0x0b, 0x0b, 0x0f, 0x0f, 0x5c, 0x5d, 0x48, 0xa5, 0xd1, 0x45, 0x32, 0x05};
any idea about what's happening ?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPCIU6NIPCMLVO4G36LZO5DLHAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJXG42DIOJYHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Ok. That was something I missed. Sorry. Circle animation works if I change the 11 to 17.
well, I did the math there. So I changed it to 7a , which is 0111 1010 You suggest 5f , I tried that and still get "red" what am I doing wrong ?
well I powered off the esp32 module several times. So beacon is certainly cleared. And I tried with long durations between my tests. (2-3 hours later etc.) and the led goes off. I am not sure if this is the ideal way to stop the leds, but it works. |
|
I just tried the "Single 6-bit color" command and it works. How do we make a circle animation with custom color ? |
|
Single 6 bit color can absolutely be used instead of the palette one...
Just an option.
As far as the animation goes.. I do have a few more notes that I'll try to
get up to the wiki... but a lot of this stuff I haven't fully reversed
engineered... And even the ones I have, I'm still missing details on what a
lot of the other bits do. You'll likely have to do a bit of guess and
check. I also have recordings of all the codes from all the shows disney
currently has (drone show, 2 castle shows, 2 or 3 epcot shows, and
fantasmic). I'll see if I can get those on the Wiki eventually as well...
That would give you more codes to play with.
That said, I would say a majority of the animation functions I've come
across seem to rely on the palette colors.
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Tue, Jul 30, 2024 at 5:15 PM ilker Aktuna ***@***.***> wrote:
I just tried the "Single 6-bit color" command and it works.
So in fact do we really need the "Single Color From Pallette Function" ?
How do we make a circle animation with custom color ?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPHQFSGSIQZNJZP6VGLZPAGAJAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJZGI4TQMZRGI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
ok. in that case, understanding palette colors and their usage is really important. Also, what is the "5 Color Pallet" example in your wiki actually doing ? I am mostly interested in ;
If you have any ideas on achieving these (even trial & error) , I'd really like to test. and, last but not least, I really would like to use single device control (like we do on the disney app when selecting color theme) Probably the Disney app has an hardcoded LTK and without it we can not decrypt the BLE traffic from/to Disney app. |
|
1. I don't know if all the "functions" have a parameter for vibration..
Other than color, I haven't reversed most of the other bits... I believe
the only code I have that vibrates that I've documented is this one:
e9 12 00 01 0f *bc bd bd bd bd* 30 d0 37 f4 d2 46 00 00 fc bb
I don't remember though what bits messed with vibration. At the moment, I
dont have any plans to delve into that, but I might run into it when I get
around to figuring out the timing bits for some of these functions. If you
have any success in isolating anything let me know!
In that animation code, I can tell you that the part I put in bold is where
the colors are I believe.
2. As far as direct connecting, I'm working on getting a bluetooth
man-in-the-middle setup going, but have no ETA/timeline to get it working.
I started working on modifying 2 PiZero W's for the project last night, but
dont know 1) if the pi's will support this without usb dongles or 2) what
other hurdles i'm likely to run into.
If I find anything out, I'll let you know.
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Wed, Jul 31, 2024 at 5:05 AM ilker Aktuna ***@***.***> wrote:
ok. in that case, understanding palette colors and their usage is really
important.
I still could not change the color from red to any other color by playing
with "6f". If you have any advise on this , please let me know.
Also, what is the "5 Color Pallet" example in your wiki actually doing ?
A full command might look like this: e9 08 00 f4 0f a0 a4 b9 b9 a4
I am mostly interested in ;
1. adding vibration to any single color
2. changing color of a circle animation (with or without vibration)
If you have any ideas on achieving these (even trial & error) , I'd really
like to test.
and, last but not least, I really would like to use single device control
(like we do on the disney app when selecting color theme)
any ideas on that ?
I tried to sniff the traffic with nrf52840 sniffer but it was encrypted
and I could not get a LTK to decrypt.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPDSZN7FHYXZDINAU43ZPCZGNAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRQGE2DMNRRGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
ok. let's leave vibration for now. Btw, what is the "5 Color Pallet" example in your wiki actually doing ? about direct connection; I see what you are trying to do with 2 RPI sniffing solution. But I have a better sniffing setup and I am already able to sniff. But without a LTK the messages are encrypted. Do you know how to get the LTK ? I am attaching the capture file that I have already captured. If you can get the LTK from the pairing phase in this file, then we can decrypt the messages. |
|
I may be wrong, but I dont think there is going to be a way to use a
passive sniffer to decode the LTK for a paired magicband. I do have a
passive sniffer with wireshark as well which is how I got most of the
bluetooth stuff for the broadcast messages, as well as a custom recorder I
built for recording the shows at disney... But none of that has proven
useful in determining what the phone and the magicband are doing once
paired. It *might* be possible to do it with a MITM setup like I'm working
on getting going, but this assumes they aren't using some of the latest
protections against MITM.
That said, I believe Disney actually created 3 ways to communicate with the
bands... paired is likely the coolest, but also the most dangerous in my
mind, in terms of being able to do damage to the magicband, so I haven't
even taken a look at it...
Method 1. We have the broadcast method, which you've now seen.
Method 2. We have unpaired GATT/ATT communication, which is why I'm working
on a MITM setup... because there is a way to get data from, and communicate
with these magic bands *without* using broadcast messages and without using
pairing... It's seen whenever the bands interact with the statues at the
park. The statues are able to "tell" the bands they are nearby, and the the
bands are able to reply to the statues that a wave has occurred, without
any pairing. I believe this is also used to detect nearby bands prior to
pairing. I don't have any idea just how much control there is here, but
there definitely is some. My plan at the moment is to maybe take the MITM
device in hopes of capturing what the statues are doing.
Method 3. Then we have paired communication, which includes the ability to
replace the firmware, and sideload applications onto the magicband. It's
seen whenever the phone updates the firmware for the device, or in Galaxy's
edge when you go bounty hunting and it seems to sideload the tracking app.
It sounds like that is what you are trying to sniff out... I don't have a
ton to contribute on this method at this point either, and I probably won't
be targeting it anytime soon, unless the MITM setup I'm putting together
happens to work for it as well.
That said at this point I have nothing to point you in the right direction
regarding method 2 or 3 that I haven't yet shared.
With regards to the solid color function (e905) - My apologies... my wiki
was wrong... It's the second to last tuple that controls color... Here's
the samples:
- 8301e100e905006f0e*f5*b0 - Red
- 8301e100e905006f0e*f4*b0 - Whitish Blue:
- 8301e100e905006f0e*fb*b0 - Orangeish red
- 8301e100e905006f0e*e0*b0 - cyan
- 8301e100e905006f0e*e1*b0 - purple
As a note - the extra 3 bits do have an impact on the pattern shown as
well... For example, if you use D instead of F, only the upper right LED is
going to light. I don't entirely understand any of the other bits, and
looking at the wiki my documentation might be wrong here too regarding what
using other upper level bits will do.
Sorry for the confusion on that part... Hope it helps!
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Wed, Jul 31, 2024 at 4:36 PM ilker Aktuna ***@***.***> wrote:
ok. let's leave vibration for now.
what about changing colors ?
I even could not change the color in "Single Color From Pallette Function"
example.
Are you able to change it ? Can you give me an example which will output
any color other than red in this:
8301e100e905006f0ef5b0
Btw, what is the "5 Color Pallet" example in your wiki actually doing ?
A full command might look like this: e9 08 00 f4 0f a0 a4 b9 b9 a4
about direct connection; I see what you are trying to do with 2 RPI
sniffing solution. But I have a better sniffing setup and I am already able
to sniff. But without a LTK the messages are encrypted. Do you know how to
get the LTK ?
mb.zip <https://github.com/user-attachments/files/16447385/mb.zip>
I am attaching the capture file that I have already captured. If you can
get the LTK from the pairing phase in this file, then we can decrypt the
messages.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPFEFBR2WGXCBSXVMZTZPFKGVAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRRGUYDGMJXGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
well in fact, I am doing pairing in each sniff session. But still I am not able to get the LTK. about color palette; |
|
e908 is the function setting each LED a different palette based color. The
bottom 5 bits of the last 5 tuples are each 1 LED on the magic band... I
feel like there is timing tuple in there, and possibly some sort of
pattern... but other than the color bits, I'm not entirely sure what else
it can do.
e9 - Identifier for magic band - Not sure if this does anything other than
start the code.
e8 - Appears to be a function call based on comparison with other codes.
00 - Unknown, could be a spacer based on it showing up in pretty much every
code.
f4 - Unknown - Possibly Time Related
0f - Partially Unknown - May be partially "Pattern"
a0 - Partially Pattern, bottom 5 bits are First palette based color
a4 - Second Color, bottom 5 bits are second palette based color
b9 - Third Color, bottom 5 bits are third palette based color
b9 - Fourth Color, bottom 5 are fourth palette based color
a4 - Fifth Color
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Thu, Aug 1, 2024 at 8:00 AM ilker Aktuna ***@***.***> wrote:
I may be wrong, but I dont think there is going to be a way to use a
passive sniffer to decode the LTK for a paired magicband.
well in fact, I am doing pairing in each sniff session. But still I am not
able to get the LTK.
I am not able to do the MITM setup right now. (I have a few spare RPI but
I am going on a vacation and don't have the time to prepare the setup)
If you find anything, please let me know.
about color palette;
thanks for clarifying it. Now I can use that command.
But I still have a question about use of color palette in other commands.
For example, what is the "5 Color Pallet" example in your wiki actually
doing ?
e9 08 00 f4 0f a0 a4 b9 b9 a4
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPAH3IIFPBXMNDSXGS3ZPIWORAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRSHE4DAMZTGU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
hi, I am trying to do the same on an Android app. And normally the following code should work. But it does not. BluetoothLeAdvertiser mBluetoothLeAdvertiser = mBTAdapter.getBluetoothLeAdvertiser(); |
|
The official ID for Disney is 0x0183... If the field is taking it as an
int, I would try inputting 387. Then sniff the packets and confirm that
wireshark is seeing the company id as Walt Disney (it's a registered code,
so Wireshark will ID it):
[image: image.png]
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Thu, Aug 8, 2024 at 7:12 AM ilker Aktuna ***@***.***> wrote:
hi,
I am trying to do the same on an Android app. And normally the following
code should work. But it does not.
```
BluetoothLeAdvertiser mBluetoothLeAdvertiser =
mBTAdapter.getBluetoothLeAdvertiser();
AdvertiseData.Builder dataBuilder = new AdvertiseData.Builder();
String s = "8301e100e90800f40ffca1b1a4b1";
byte[] b = new byte[s.length() / 2];
for (int i = 0; i < b.length; i++) {
int index = i * 2;
int v = Integer.parseInt(s.substring(index, index + 2), 16);
b[i] = (byte) v;
}
dataBuilder.addManufacturerData(224 , b);
AdvertiseSettings.Builder settingsBuilder = new AdvertiseSettings.Builder();
settingsBuilder.setTimeout(0); //set to 0 to continously advertise
if (ActivityCompat.checkSelfPermission(this, Manifest.permission.BLUETOOTH_ADVERTISE) != PackageManager.PERMISSION_GRANTED) {
requestPermissions(new String[]{Manifest.permission.BLUETOOTH_ADVERTISE}, 1);
return;
}
mBluetoothLeAdvertiser.startAdvertising(settingsBuilder.build(), dataBuilder.build(), new AdvertiseCallback() {
@OverRide
public void onStartSuccess(AdvertiseSettings settingsInEffect) {
super.onStartSuccess(settingsInEffect);
}
@OverRide
public void onStartFailure(int errorCode) {
super.onStartFailure(errorCode);
}
});
Do you have any idea what's wrong ?
the "addManufacturerData" on Android BLE requires 2 parameters:
1. manufacturerId (integer)
2. manufacturerSpecificData (byte)
I don't know what to use as manufacturerId.
From your guide I understand that it is 0x83 0x01 but how should I put it in an integer ?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPDAWU55TWKGJELHHTTZQNOBPAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZVGY3DQNRZGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
yes that worked ! |
|
thanks again. do you have any progress about direct messages (GATT/ATT) ? |
|
Not yet.
Justin Gehring
PH: 651-208-8797 FX: 866-572-6777
***@***.***
…On Thu, Aug 8, 2024 at 8:49 AM ilker Aktuna ***@***.***> wrote:
thanks again. do you have any progress about direct messages (GATT/ATT) ?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFTUZPEUHETRPJ3L7RCRKKLZQNZNPAVCNFSM6AAAAABLSGU2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZVHA4DEMBWGI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Hi, Do you have any progress on this ? thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I'm sorry; I could not find any other way to contact you. So I'm trying my chance to reach via this channel.
I read on the page below , about your findings on Mgicband+ ble codes:
https://emcot.world/Disney_MagicBand%2B_Bluetooth_Codes#The_cc_Codes
I am trying to make a fun application for my family to make use of the bands at home.
I will try your codes, but I'm not sure which service and characteristic I have to send the commands.
I see there are 5 different services and a few characteristic under each service as below.
Could you tell me which one to use ?
I just want to make the band leds do some effects.
service:00001801-0000-1000-8000-00805f9b34fb
characteristic:00002a05-0000-1000-8000-00805f9b34fb
characteristic:00002b2a-0000-1000-8000-00805f9b34fb
characteristic:00002b29-0000-1000-8000-00805f9b34fb
service:00001800-0000-1000-8000-00805f9b34fb
characteristic:00002a00-0000-1000-8000-00805f9b34fb
characteristic:00002a01-0000-1000-8000-00805f9b34fb
service:1d14d6ee-fd63-4fa1-bfa4-8f47b42119f0
characteristic:f7bf3564-fb6d-4e53-88a4-5e37e0326063
characteristic:984227f3-34fc-4045-a5d0-2c581f81a153
service:0000fe03-0000-1000-8000-00805f9b34fb
characteristic:f04eb177-3005-43a7-ac61-a390ddf83076
characteristic:2beea05b-1879-4bb4-8a2f-72641f82420b
characteristic:74f996c9-7d6c-4d58-9232-0427ab61c53c
characteristic:b32e83c0-fece-47c1-9015-53b7e7f0d2fe
service:0000fd98-0000-1000-8000-00805f9b34fb
characteristic:bd75b722-3dda-bef1-454d-7119c8ff26a2
characteristic:0b4d1c14-b070-8938-9a0b-d5f8188488cd
If you don't want to have this conversation under Github issues, you can contact me directly.
Thanks
The text was updated successfully, but these errors were encountered: