Hacking the Girltech IM-ME USB Wireless device
The Girltech IM-ME is a basic usb radio transmiter paired with a small console like device. It was suggested to me on the TP hacking thread I posted up a while ago. Hacking the IM-ME turned out to be an easy reverse-engineer, as there is no crypto to worry about and everything is sent in cleartext hex (everything). For 12$, this makes quite a nice little wireless console device. Read on for the protocol and info on implementing your own driver 
After ordering the IM-ME as a filler item on Amazon (what won't I do for super-saver shipping), I plugged it in to my linux box. It was recognized as a standard HID device. This is good, as Girltech obviously didn't go to any great lengths to protect the communication coming off this thing. At this point, I could have either loaded up a windows VM with a promiscuous USB driver at the host OS level, or loaded up a windows VM with snoopypro installed. I went (as I usually do when reverse-engineering usb protocols) with snoopypro. The output driver strings are quite easy to read and patterns are colored by communication direction.
I set up a user 'toastc2c' with a password 'password'. The default software install (windows only) is basically an online multiplexer. You log into their software, which syncs with their website. Each instant message is sent to the handheld with a identifier string, which is used by the device to pagify the different messages. This is great, as it's pretty much arbitrary as to what we pipe down to the device. I figured I would need to inject some custom messages to the device (standard crypto protocol breaking stuff like huge messages and repeated characters etc) to get a handle on the communication scheme, but that wasn't really necessary. Turns out it's all clearhex, all the time. Either initialize with a VM and inject your own messages, or copy the init strings out of the spreadsheet I post below and init/multiplex with libusb.
Here is a spreadsheet with the initialization strings and username/password authentication. This is more than enough to write an interface driver in with libusb. I'm not sure about the DMCA implications of releasing a driver, but there's a script out there to ease the process for you if you're new to it. Note the device receives data in one hex byte strings which are each padded with hex 00. My username is 'toastc2c', which you can see is clearly transmitted and accepted by the receiving device (IM-ME usb dongle->console pairing). Happy Hacking
January 11th, 2010 - 06:05
Hi saturnnights !
I would be interested about the files arrayent sent you.
Would you mind sharing them ?
Thanks
January 12th, 2010 - 07:11
Any ideas about the checksum of the init string?
January 12th, 2010 - 11:57
Hey Peter,
Nothing comes to mind… Has anyone else successfully parsed the init strings and checksum?
/H
January 12th, 2010 - 13:15
I managed to isolate 4 different messages (from IM-ME -> device) and it
appears they have a checksum too :/
I output the letter a,b,c and a sentence (i like apples) – here are the
results:
a = 61-> EE
EF
F0
b =62 -> F1
F2
F3
c =63 -> F4
Did anyone yet succeed to send messages to the device using libusb?
January 12th, 2010 - 13:15
I managed to isolate 4 different messages (from IM-ME -> device) and it
appears they have a checksum too :/
I output the letter a,b,c and a sentence (i like apples) – here are the
results:
a = 61-> EE
EF
F0
b =62 -> F1
F2
F3
c =63 -> F4
Does this perhaps ring a bell ?
Did anyone yet succeed to send messages to the device using libusb?
January 12th, 2010 - 15:34
Okay solved the checksum mystery:
About the Checksum / Message
#02 is the length of the whole message (including header), -2, presumably
excluding 0xfa, 0xfb
#05 is the length of the message, excluding #00-#05 and the checksum
#09 is a sequence number (it somehow gets incremented by two, but okay)
And the checksum is calculated the following way – add up everything,
0xfa+0xfb+…..+0×00
and add the value 11 to it -> modulo 256 => checksum.
Checksum: 0, bro 1
January 12th, 2010 - 20:21
Sorry I didn’t spot the activity in this thread before; I’ve got most of it working with a bit of reverse engineering (I need to get groups working). My implementation is not hugely robust, as I’ve written it as I’ve gone along, but hopefully you can make sense of it!
You can find source code (and an app with no error handling) here – http://benryves.com/bin/im-me/im-me-2009.01.13.01.zip – Windows only, I’m afraid, but it’s written in C# so should be pretty easy to follow.
To log into the demo program you’ll need to enter a username and password (the password is the same as your username), e.g. “steve”, “steve”. This will give you access to a friend list with two friends, Alice and Bob. Talking to any friend spits your message back to you with a time stamp.
I’ve used a CRC32 to generate user IDs from the username; when using the normal IM-me software I assume this is your account ID (handled on their end).
Incoming HID data is handled in “packets” (the things with a 0xFA, 0xFB prefix). Each packet has a “part x of y” field that is used to assemble them into larger “USB messages” (to distinguish them from the text messages that chatters send to eachother). From there I hope you can follow what I’ve done; I had started writing up what I’d found, but kept discovering new things and had to start from scratch so decided to keep it simple!
I have no idea how well this will handle multiple USB adaptors in a PC or how it will handle more than one IM-me connected to an adaptor.
January 12th, 2010 - 23:25
there seems to be an other hacking going on IM-Me:
http://daveshacks.blogspot.com/
January 13th, 2010 - 05:50
elwing: That’s an interesting project, especially in relation to the TI watch! It’s a shame you can’t back up the original firmware (at least, I don’t think you can) but with the original protocol documented it should be relatively easy to rewrite something that works in a similar enough manner.
The sample code I posted won’t work properly with more than one IM-me device at a time as it uses a single, global friend list for everyone. If two people connect, then one of them adds a new friend, the other person would see that person in their Who’s Online list even though they never added them as a friend. In reality the sample would need to be modified to maintain friend lists for each contact. (This is only a problem with the sample, and not the library itself).
Oh, and I just realised that I’m still stuck in 2009. That’s what you get for uploading files at 3AM.
January 13th, 2010 - 17:29
elwig,
that’s definitely a fun project, can’t wait to see where it goes. Maybe a custom firmware is coming?
Ben,
Nice website too btw, especially like the new atmega tetris project!
Great work! What is the license on the code (gplv2?) Between your c# implementation and scott’s c implementation it sounds like we should have all alternate platforms covered
/H
January 13th, 2010 - 19:52
Thanks for the comment, Hunter (and thank you for this interesting site!) I tend to favour the permissive MIT as far as licences go, but I’m generally of the impression that if I’m releasing code, feel free to do whatever you want to with it.
I’ll continue to stick stuff in http://benryves.com/bin/im-me/ until I’ve written it up more formally. There’s a “Protocol.odt” document that I’ve stuck some information in that may be useful. There’s newer code that fixes a big bug in the way I handled incoming messages of more than one packet; I still can’t send messages of more than one packet, though. This may be due to my cack-handed attempt to use asynchronous file I/O, though.
January 15th, 2010 - 05:46
Thanks a lot for your work Ben Ryves.
It will be very useful for me !
January 26th, 2010 - 03:50
I just got my im-me in this weekend, I have written a bit of python code to interface with it, I plan to make a library so that others may play with it a bit more easily, if anyone has any more information on this device that could be helpful I would appreciate it.
February 21st, 2010 - 10:00
What format is your spreadsheet saved in? How do you open it? Text editor?
February 21st, 2010 - 10:02
Hey Symon,
It’s in open document spreadsheet. You can open it with openoffice or abiword, google docs, etc. If you’re just wanting the driver, we’ve put a couple of implementations up on a sourceforge page http://sourceforge.net/projects/im-megpldrivers/ (see later article on subject). Good luck!
March 23rd, 2010 - 07:04
How hard is it to actually get this working as a wireless terminal? I am not the worlds greatest coder or even half way decent at that but would love to get one of these working on my Linux box.
March 23rd, 2010 - 16:50
Hey rfxcasey,
It’s actually very easy to get working now. Just download the new drivers from sourceforge and you should be great to go, no or absolutely limited coding necessary. Good luck!