Nate SchaffnerFeb 2
Zhuowei Zhang

Here’s the super high level summary of the Meta Ray-Ban’s Bluetooth protocol (DataX/Airshield framework), based on traffic capture, decompiling the Meta Wearable SDK, and disassembling the Meta AI app:

To connect:

Get PSM (port) for the L2cap connection by looking at BLE service ID FD5F and characteristic 05ACBE9F-6F61-4CA9-80BF-C8BBB52991C0

this is 4 bytes - the last 2 bytes (little endian) is the PSM

Open L2cap connection

Datax sends messages on “channels”; each channel is connected to a “service”

Both the phone and the device do this handshake:

  • in the first message, open channel 1 by connecting to service LINK_SETUP (0x05) and sending RequestEncryption message
  • wait for the other side’s RequestEncryption message
  • in the second message, on channel 1, send EnableEncryption
  • wait for the other side’s EnableEncryption
  • perform ECDH to get a shared secret, setup encryption

    • This is all done in native code even in the Android phone app/SDK. Once the initial connection is open, though, other services are implemented in Java on the Android Meta AI app and SDK.

    For pairing in the Meta AI App, the phone app sends IdentityRequest after opening the connection.

    When I tested connecting to the device, the device also opens:

    • channel 0x1e (identity/applinks) and sends com.oculus.applinks.EnableTrust
    • channel 0x4f (CONSTELLATIONAUTH) and sends com.meta.constellationauth.EnableTrust

    The SDK doesn’t have the applinks service (not sure if the phone app does), but does have code for handing CONSTELLATIONAUTH, including sending app manifests - this is probably how it checks if the SDK app is allowed.

    Feb 1 at 10:37pmWeb
    Show threadZhuowei ZhangFeb 1
    There are exactly 190 services. (check com/facebook/wearable/datax/ServiceId.smali in the ArWireless apk in the firmware) I'm... kinda overwhelmed by how much there is.
    Show threadZhuowei ZhangFeb 1
    (On my emulator, here are the processes that register services: https://gist.github.com/zhuowei/970917f896b50f343c5865bba163f574)
    gist:970917f896b50f343c5865bba163f574

    GitHub Gist: instantly share code, notes, and snippets.

    Gist
    Show threadZhuowei ZhangFeb 7
    It looks like, before identity authentication completes, the Meta Ray-Ban doesn't accept most other services: anything other than LINK_SETUP, CONSTELLATIONAUTH, IDENTITY, and APP_LINKS just gives error 0xc001 (SERVICE_NOT_FOUND).
    Show threadZhuowei ZhangFeb 7

    Finally tried running Starcruiser against my real Meta Ray-Ban glasses: When sending IdentityRequest to IDENTITY, I get a com.meta.identity.IdentityResponse (0x3001) back with:

    • certificate: a DER “Device Identity Certificate” signed by “Greatwhite Identity Intermediate CA”
    • serial: my device’s serial number
    • drk_certificate_present: true

    I also get an EnableTrust request (0x1000), also on service IDENTITY, from the device with:

    • identifier: a bunch of bytes
    • signature: another bunch of bytes

    I’m guessing I need to reply with the paired identifier and a signature using the key from my Meta AI app?

    My emulator isn’t paired, so if I try to send an (empty) EnableTrust to it, I just get

    02-07 10:27:04.052 1046 1905 I AirTrafficControl: Identity: Handling com.meta.identity.EnableTrust 02-07 10:27:04.052 1046 1905 I AirTrafficControl: Sent com.oculus.atc.telemetry.LinkEvent (36 bytes) 02-07 10:27:04.052 1046 1905 I AirTrafficControl: Identity:17c8: Authentication state changed: Ready -> EvaluatingTrust 02-07 10:27:04.052 1046 1905 E AirTrafficControl: Identity:17c8: enable trust failed: missing app identity 02-07 10:27:04.052 1046 1905 I AirTrafficControl: Identity:17c8: Authentication state changed: EvaluatingTrust -> Ready

    Maybe I need to test against my physical device from now on?