Replicate bluetooth remote with HM-10

warwound

Expert
Licensed User
Longtime User
I have a Gear 360 camera and an official bluetooth remote is on it's way from Ebay.
I want to be able to trigger my camera shutter using an HM-10 bluetooth module:
  • A spare servo channel on my quadcopter connected to an arduino.
  • Arduino connected to HM-10 via serial.
  • HM-10 paired with camera.
  • Camera suspended from my quadcopter.
So my quadcopter will have arduino, HM-10 and camera onboard.

Samsung have not released any SDK or documentation for the Gear 360 and it's bluetooth remote.
I want to know if and how i can program the arduino to use the HM-10 as a substitute for the official bluetooth remote.

On my android tablet i have connected to the HM-10 and queried it's servcies using nRF Connect for Mobile.
nRF Connect for Mobile logs this info about the camera:
nRF Connect, 2016-10-07
Gear 360(??????) (8C:1A:BF:??:??:??)
V 07:47:55.058 Connecting to 8C:1A:BF:??:??:??...
D 07:47:55.126 gatt = device.connectGatt(autoConnect = false)
D 07:47:55.707 [Broadcast] Action received: android.bluetooth.device.action.ACL_CONNECTED
D 07:47:55.747 [Callback] Connection state changed with status: 0 and new state: CONNECTED (2)
I 07:47:55.766 Connected to 8C:1A:BF:??:??:??
D 07:47:55.792 wait(600ms)
V 07:47:56.428 Discovering services...
D 07:47:56.474 gatt.discoverServices()
D 07:47:56.492 [Callback] Services discovered with status: 0
I 07:47:56.514 Services discovered
V 07:47:56.539 Generic Access (0x1800)
- Device Name [R] (0x2A00)
- Appearance [R] (0x2A01)
Generic Attribute (0x1801)
- Service Changed (0x2A05)
Client Characteristic Configuration (0x2902)
V 07:48:00.418 Reading all characteristics...
V 07:48:00.467 Reading characteristic 00002a00-0000-1000-8000-00805f9b34fb
D 07:48:00.495 gatt.readCharacteristic(00002a00-0000-1000-8000-00805f9b34fb)
I 07:48:00.525 Read Response received from 00002a00-0000-1000-8000-00805f9b34fb, value: (0x) 47-65-61-72-20-33-36-30-28-39-34-43-41-37-46-29, "Gear 360(??????)"
A 07:48:00.547 "Gear 360(??????)" received
V 07:48:00.566 Reading characteristic 00002a01-0000-1000-8000-00805f9b34fb
D 07:48:00.585 gatt.readCharacteristic(00002a01-0000-1000-8000-00805f9b34fb)
I 07:48:00.613 Read Response received from 00002a01-0000-1000-8000-00805f9b34fb, value: (0x) 20-06
A 07:48:00.636 "[1568] Unknown" received
V 07:48:04.978 Disconnecting...
D 07:48:05.021 gatt.disconnect()
D 07:48:05.040 [Callback] Connection state changed with status: 0 and new state: DISCONNECTED (0)
I 07:48:05.066 Disconnected
D 07:48:05.085 gatt.refresh() (hidden)


I can pair my HM-10 with my camera using a USB serial adapter and AT commands.
So how do i go about establishing what the HM-10 must do to activate the camera shutter?

Could i program an android device (using b4a) or an arduino (using b4r) as a master bluetooth device offering the same services as the camera offers (as in the log from nRF Connect for Mobile)?
Then connect the official bluetooth controller to this master device and click it's remote shutter button.
On the master read the command/data that comes from the remote.

Now i know the 'bluetooth command' that the official remote sends, i can send the same command using and arduino and HM-10?

Is this all possible?
 

warwound

Expert
Licensed User
Longtime User
My bluetooth remote arrived from Ebay.
I paired it with my S7 and pressed the remote shutter button.
My S7 volume slider goes down.

Should be possible to program an arduino and HM-10 to connect to my Gear 360 and send a 'standard media volume down' command...
 

Zliko

Member
Hi warwound, have you managed to emulate official BT remote? We are pursuing same path. Have you tried to spoof BT mac address from official BT remote to HM-10? It might be that there is ACL on mac address, tho it might be there is some encryption involved (hope not).

best
 

Zliko

Member
Damn, have you tried to sniff traffic (via passive BT dongle eg. Obertooth) between BT remote and cam? I do not have official bt remote, so i can only try to sniff traffic between android phone and camera. Will let you know if i figure it out. Seems Samsung is using some custom services. I haven't managed to find any BT vulnerabilities and open services are unknown (when scanning in Kali).
 

Zliko

Member
Any chance you could send me mac address of your samsung bt remote? Would like to see can i pair it in remote mode with spoofed mac address.
 

warwound

Expert
Licensed User
Longtime User
Take a look at this.
It's the log output from the Norrdic Semiconductors 'nRF Connect' app:

B4X:
nRF Connect, 2017-04-07
Gear 360 Remocon(23) (D8:8D:5C:D0:11:23)
V   08:01:17.794   Connecting to D8:8D:5C:D0:11:23...
D   08:01:17.794   gatt = device.connectGatt(autoConnect = false)
D   08:01:18.066   [Callback] Connection state changed with status: 0 and new state: CONNECTED (2)
I   08:01:18.066   Connected to D8:8D:5C:D0:11:23
D   08:01:18.066   wait(600ms)
D   08:01:18.089   [Broadcast] Action received: android.bluetooth.device.action.ACL_CONNECTED
V   08:01:18.685   Discovering services...
D   08:01:18.685   gatt.discoverServices()
D   08:01:19.004   [Callback] Services discovered with status: 0
I   08:01:19.007   Services discovered
V   08:01:19.053   Generic Attribute (0x1801)
- Service Changed [I R] (0x2A05)
 Client Characteristic Configuration (0x2902)
Generic Access (0x1800)
- Device Name [R W] (0x2A00)
- Appearance [R] (0x2A01)
- Peripheral Preferred Connection Parameters [R] (0x2A04)
Device Information (0x180A)
- Serial Number String [R] (0x2A25)
- Model Number String [R] (0x2A24)
- System ID [R] (0x2A23)
- Hardware Revision String [R] (0x2A27)
- Firmware Revision String [R] (0x2A26)
- Software Revision String [R] (0x2A28)
- Manufacturer Name String [R] (0x2A29)
- PnP ID [R] (0x2A50)
Battery Service (0x180F)
- Battery Level [N R] (0x2A19)
 Client Characteristic Configuration (0x2902)
Unknown Service (00001016-d102-11e1-9b23-00025b00a5a5)
- Unknown Characteristic [R W] (00001013-d102-11e1-9b23-00025b00a5a5)
- Unknown Characteristic [W] (00001018-d102-11e1-9b23-00025b00a5a5)
- Unknown Characteristic [N R] (00001014-d102-11e1-9b23-00025b00a5a5)
 Client Characteristic Configuration (0x2902)
- Unknown Characteristic [R] (00001011-d102-11e1-9b23-00025b00a5a5)
Scan Parameters (0x1813)
- Scan Interval Window [WNR] (0x2A4F)
- Scan Refresh [N] (0x2A31)
 Client Characteristic Configuration (0x2902)
Human Interface Device (0x1812)
- HID Information [R] (0x2A4A)
- Report Map [R] (0x2A4B)
 External Report Reference (0x2907)
- Boot Keyboard Input Report [N R] (0x2A22)
 Client Characteristic Configuration (0x2902)
- Boot Keyboard Output Report [R W WNR] (0x2A32)
- Report [N R] (0x2A4D)
 Client Characteristic Configuration (0x2902)
 Report Reference (0x2908)
- Report [N R] (0x2A4D)
 Client Characteristic Configuration (0x2902)
 Report Reference (0x2908)
- Report [R W WNR] (0x2A4D)
 Report Reference (0x2908)
- HID Control Point [WNR] (0x2A4C)
- Protocol Mode [R WNR] (0x2A4E)
 

Zliko

Member
No luck. With spoofed mac address (from your BT remote) still no pairing. Have you tried to sniff bt traffic remote<>gear360 with passive bt sniffer?
 

warwound

Expert
Licensed User
Longtime User
Have you tried to sniff bt traffic remote<>gear360 with passive bt sniffer?

No.

Instead i wrote an android app that connects to the Gear360 Open Spherical Camera interface over wifi.
A bluetooth game controller (cheapie from Banggood) connects to the android device and my app listens for keypresses from the gamepad.
When the correct keypress is detected, my app sends the OSC takePicture command.

It works but is clumsy.
I'm still very interested in hacking into the Gear360 remote control service but don't have the time to research it all.
 

Zliko

Member
Does it saves picture to SD card or it just send stitched pic to android device?

Seems even damn BT remote is using Samsung Accessory Framework service, so without emulating authorisation from that service we can't use generic BT remote. Really pissed of on Samsung and their way of "protecting" something so trivial like shutter remote :/
 

warwound

Expert
Licensed User
Longtime User
My remote simply 'takes a picture' and everything else happens as if you'd physically pressed the shutter button: dual fish-eye image is saved to the Gear 360.
Have you worked with the Open Spherical Camera API on the Gear 360 yet?
My remote just uses the OSC 'takePicture' command via the WiFi OSC API.

In a previous post i included some info i got from my Gear 360 using the android nRF Connect app.
If you install that app and connect to your Gear 360 you'll see the same service characteristics listed.
The app allows you to connect to a service and send or receive values.
Could you go through the various service characteristics and try to send or recive at least one value?
If that works then it might indicate whether or not the remote service is locked down to the Samsung Accessory Framework...

Have you seen the specs of the new Gear 360?
The 'live streaming 360 view' sounded very tempting to me and i thought i'd upgrade, then i read the specs and see the new Gear 360 has just HALF of the resolution of the original Gear 360.
Original Gear 360 has ~30 megapixels, new Gear 360 has ~15 megapixels.

Is that crazy or what?
Samsung's lack of official responses to Gear 360 bugs reported on the Samsung Developers website is also crazy!
 

Zliko

Member
Haven't checked OSC API on Gear much yeat (only tried to hook to Iphone, since it's only way to connect with iOS). Will check it out with android. Have you noticed is there a bigger battery drain when using Gear in wifi OSC mode? I have checked with usb amp metere (but not very precise), idle gear turned while charging 0.59A, in OSC wifi mode 0.61-0.64 which is not a lot at all.

Services are unknown and i can't send any cmd via BT if not paired :/ After reading this http://developer.samsung.com/html/techdoc/ProgrammingGuide_Accessory.pdf it's clear that Samsung is using it on all its accessories.

Seen the specs of new gear 360, do not like em at all! Lower photo resolution, a tad higher video resolution but with 24fps (wtf? are they nuts? for proper VR experience 60fps is a must!), Live streamin (at only 2k???), lens are less spaced so i guess stitching is better, but still new gear seems inferior to older model by far :/
 
Last edited:

Zliko

Member
Playing with OSC. I can get sessionId response, but when i send camera.takePicture, cam just reboots...

Tested in OSC mode, battery lasts as much as it is without!
 

Zliko

Member
Doh, via OSC camera can't record unstitched, only stitched JPEGs (and camera does it badly), thats why it needs 10sec interval.
 

warwound

Expert
Licensed User
Longtime User
Doh, via OSC camera can't record unstitched, only stitched JPEGs (and camera does it badly), thats why it needs 10sec interval.

That doesn't sound right, i'm sure that the Gear 360 is not capable of stitching fisheye to equirectantular.
 

Zliko

Member
Believe me. Running script in bash (camera.takePicture cmd) every 10-15s i can retake new one. Was wondering why, then i've looked at pics on SD card, they are stitched! Hence 10-15s delay until camera stitches em (and stitching is really bad). Now since camera is using only level 1 OSC API, there is not much to do. I can't find in API documentation any cmd or parameter to disable stitching, there is camera.processPicture cmd but for level 2 API only for camera to process unstitched photos already on SD card, but i can't find anywhere cmd to shot pictures and leave em unprocessed. Maybe some undocumented samsung specific api cmd?

Man, if i only knew it was this hard to hack Gear 360 for something such trivial as common photo timelapse...Have you seen Xiaomi (Mijia) 360 camera? Not bad specs 6912x3456pix for photo (tho price thru resellers in presale is too much 320$!).
 

warwound

Expert
Licensed User
Longtime User
Believe me. Running script in bash (camera.takePicture cmd) every 10-15s i can retake new one. Was wondering why, then i've looked at pics on SD card, they are stitched!

Wow you know i never even noticed that OSC mode stitched the fisheye automatically!
Just took a snap and you're right.

Now since camera is using only level 1 OSC API, there is not much to do. I can't find in API documentation any cmd or parameter to disable stitching, there is camera.processPicture cmd but for level 2 API only for camera to process unstitched photos already on SD card, but i can't find anywhere cmd to shot pictures and leave em unprocessed. Maybe some undocumented samsung specific api cmd?

Maybe but i think you'd only find out for sure if you could decompile the firmware - a time consuming operation.

It's a shame Samsung have only implemented a buggy OSC 1 interface for developers to use and never published an SDK or any real documentation on the proprietary side of the firmware.
It's also a shame (though very typical of Samsung) not to update and fix the OSC interface.

Have you seen Xiaomi (Mijia) 360 camera? Not bad specs 6912x3456pix for photo (tho price thru resellers in presale is too much 320$!).

Looks OK but not over specced.
With the new Gear 360 spec being such a disappointment to me i doubt i'll upgrade from the original Gear 360 anytime soon.

I dug out my old demo OSC project and library files.
I'd started to create a new OSC library that would be compatible with both versions of the OSC API but never completed it - like so many projects i moved on to new things.
There's an html file which (partly) documents the various objects.
As well as my new OSC library the project requires: FusedLocationProvider, GPS, JSON, and Network libraries.
It's attached if you'd like to take a look.
If you're into java and want the library source (an Eclipse project) then let me know.

Martin.
 

Attachments

  • osc library and demo.zip
    95.6 KB · Views: 315
Top