00000000-deca-fade-deca-deafdecacaff

Maybe I should swith to english when posting here as I try to get stuff done with ZEO mobile and most users of that thing do not German 😉

Today I try to tinker with the BT headband. The usual steps when something blue pops up in the air:

let’s discover that thing first.
hcitool scan gives me an addr
4C:98:EF:00:1E:E5       clock offset: 0x026f    class: 0x080700

BD Address:  4C:98:EF:00:1E:E5
Device Name: Zeo
LMP Version: 2.1 (0x4) LMP Subversion: 0x12e9
Manufacturer: Cambridge Silicon Radio (10)
Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x59 0x83
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <hold mode> <sniff mode>
<park state> <RSSI> <channel quality> <SCO link> <HV2 packets>
<HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme>
<power control> <transparent SCO> <broadcast encrypt>
<EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan>
<interlaced iscan> <interlaced pscan> <inquiry with RSSI>
<extended SCO> <EV4 packets> <EV5 packets> <AFH cap. slave>
<AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL>
<sniff subrating> <pause encryption> <AFH cap. master>
<AFH class. master> <EDR eSCO 2 Mbps> <EDR eSCO 3 Mbps>
<3-slot EDR eSCO> <extended inquiry> <simple pairing>
<encapsulated PDU> <non-flush flag> <LSTO> <inquiry TX power>
<extended features>
Extended features: 1 page

Then scan it. And here are two services
Note the funny UUID 😉

Browsing 4C:98:EF:00:1E:E5 …
Service Name: iAP Accessory
Service Provider: Zeo Inc.
Service RecHandle: 0x10000
Service Class ID List:
UUID 128: 00000000-deca-fade-deca-deafdecacaff
Protocol Descriptor List:
“L2CAP” (0x0100)
PSM: 3
“RFCOMM” (0x0003)
Channel: 1
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
“Serial Port” (0x1101)
Version: 0x0100

Service Name: SPP Accessory
Service Provider: Zeo Inc.
Service RecHandle: 0x10001
Service Class ID List:
UUID 128: 56b32a76-479b-43d4-99ff-42d79823d0a6
Protocol Descriptor List:
“L2CAP” (0x0100)
PSM: 3
“RFCOMM” (0x0003)
Channel: 2
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
“Serial Port” (0x1101)
Version: 0x0100

It does not like me to rfcomm into the 2 services found directly 🙁

So let’s pair and connect a serial port. It accepts 0000 as BT PIN.

 

About Raipat

Sleep Hacker, Biopunk
This entry was posted in BCI, Schlafhacking. Bookmark the permalink.

3 Responses to 00000000-deca-fade-deca-deafdecacaff

  1. Ben says:

    Any luck with reading data from the Zeo Mobile?

  2. Samuel Cochran says:

    I am also interested in connecting to the headband over bluetooth.

    “iAP Accessory” is an “iPod Accessory Protocol”, a proprietary protocol implemented by Apple which has an intense authentication scheme including custom hardware.

    “SPP Accessory” is a “Serial Port Profile” accessory for android. This seems to be a more open standard and is implemented by connector boards like connectBlue’s. I found this documentation which is promising: http://support.connectblue.com/display/PRODBTSPA/Bluetooth+Serial+Port+Adapter+AT+Commands#BluetoothSerialPortAdapterATCommands-DataMode%28ATADDM%29

    I’m guessing if you initiate a connection and issue the correct AT commands, then handshake in some special Zeo way, you’ll get a stream of data coming back. Next step: reverse-engineering the android app.

  3. reltih says:

    Anything new regarding raw data?

Leave a Reply