Hacking the Girltech IM-ME USB Wireless device
The Girltech IM-ME is a basic usb radio transmiter paired with a small console like device. It was suggested to me on the TP hacking thread I posted up a while ago. Hacking the IM-ME turned out to be an easy reverse-engineer, as there is no crypto to worry about and everything is sent in cleartext hex (everything). For 12$, this makes quite a nice little wireless console device. Read on for the protocol and info on implementing your own driver 
After ordering the IM-ME as a filler item on Amazon (what won't I do for super-saver shipping), I plugged it in to my linux box. It was recognized as a standard HID device. This is good, as Girltech obviously didn't go to any great lengths to protect the communication coming off this thing. At this point, I could have either loaded up a windows VM with a promiscuous USB driver at the host OS level, or loaded up a windows VM with snoopypro installed. I went (as I usually do when reverse-engineering usb protocols) with snoopypro. The output driver strings are quite easy to read and patterns are colored by communication direction.
I set up a user 'toastc2c' with a password 'password'. The default software install (windows only) is basically an online multiplexer. You log into their software, which syncs with their website. Each instant message is sent to the handheld with a identifier string, which is used by the device to pagify the different messages. This is great, as it's pretty much arbitrary as to what we pipe down to the device. I figured I would need to inject some custom messages to the device (standard crypto protocol breaking stuff like huge messages and repeated characters etc) to get a handle on the communication scheme, but that wasn't really necessary. Turns out it's all clearhex, all the time. Either initialize with a VM and inject your own messages, or copy the init strings out of the spreadsheet I post below and init/multiplex with libusb.
Here is a spreadsheet with the initialization strings and username/password authentication. This is more than enough to write an interface driver in with libusb. I'm not sure about the DMCA implications of releasing a driver, but there's a script out there to ease the process for you if you're new to it. Note the device receives data in one hex byte strings which are each padded with hex 00. My username is 'toastc2c', which you can see is clearly transmitted and accepted by the receiving device (IM-ME usb dongle->console pairing). Happy Hacking
November 18th, 2009 - 15:13
I was wondering about this device too, like the freq it transfers at. But your data on it makes it even easier to use. I’m definately getting a couple but I’d have to paint it.
November 18th, 2009 - 15:15
Hey Athlor,
Yeah, the hot pink really isn’t my style either
I’ve been meaning to get a software radio project going, if I ever get that moving I’ll get you the specs on antenna frequency, gain etc etc. In the meantime the usb driver should be enough for full usefulness. Good luck!
November 24th, 2009 - 13:39
Love to read your stuff, even though I don’t understand most of it!
November 25th, 2009 - 07:49
Great Read, looking forward to seeing the end results, Keep up the good work mate
November 25th, 2009 - 11:00
Hey Adam,
Thanks, Not sure if I can release the driver I wrote (dmca) but I may put up a video of it in action. Not a bad 12$ investment..
November 26th, 2009 - 00:59
Nice work withe IM-me.
You using just free software to do the RE of USB protocals?
I’m thinking of trying to see if I can get a USB Missile Launcher working under linux
http://www.dreamcheeky.com/index.php?pagename=product&pid=41
I know the protocol for the verson without the webcam has been reverse-engineered. I’m hopeing it’s works like the camless version with a standured webcam attached.
Pan-Tilt webcam for $40.
BTW: I found a site about squeezing Linux down to fit in 1M of flash. http://sites.google.com/site/bifferboard/Home/howto/faster-route-to-kernel–initrd
It’s for a x86 board.
And sorry it’s taking so long to write more about my Z2 project. I got distracted thinking about DTN and robot carrier pegoins.
November 27th, 2009 - 12:06
Hey DrA,
Yep, just using snoopypro (free on sourceforge) to snoop on the usb packets, virtualbox (free from sun/oracle) to run a windows virtual machine and the driver software, and openoffice spreadsheet for output.
I’ve seen those usb missile launchers. The webcam version seems pretty cool. I used to write drivers for ccd cameras which are quite similar, I’d imagine you won’t have too much trouble with it. It’s generally send an init string, recieve the vendor ID, request a frame, receive a block size followed by the frame (unless all frames are same size, I’ve seen that too).
You can get a pan/tilt webcam on geeks.com pretty cheap if you don’t want to roll your own, but I think the missile launcher is more fun.
That x86 1mb linux kernel is interesting. The patchfile seems specific to x86 and the bboard they’re using, but I imagine there’s a 1mb arm kernel out there somewhere. It reminds me greatly of the ceiva linux port (http://www.heeltoe.com/software/ceiva/Ceiva-mini-HOWTO.html).
Lol on robot carrier pigeons, I imagine you’d be using rfc1149? http://www.rfc-editor.org/rfc/rfc1149.txt
Good Luck!
November 28th, 2009 - 15:14
Hi Hunter,
I spotted these devices about 6 month ago. I thought about hacking them then, now you nudged my interested I have order one of these devices (£9!) with the aim of just playing with it. Ideally get some text back and forth in to a python application.
Thanks for the spreadsheet, I think I can follow it. Alas I have no windows machine so it is very helpful.
You mentioned “script out there to ease the process” Any other clues ?
Any further details on the identification string I did not follow the detail.
Thanks,
Brendan
November 29th, 2009 - 09:57
Hi Brendan,
No problem, happy to help out. Here’s an article on libusb (which I believe has a userspace python implementation) http://jespersaur.com/drupal/book/export/html/21 . They mention in this article the perl script I recalled, which sets up a skeleton driver for you based on sniffed traffic. I’ve not used it myself, but some have had success with it.
You can get the ident string with a search of the usb devices with similar code to the one posted above
static struct usb_device *findKeyboard(uint16_t vendor, uint16_t product)
{
struct usb_bus *bus;
struct usb_device *dev;
struct usb_bus *busses;
usb_init();
usb_find_busses();
usb_find_devices();
busses = usb_get_busses();
for (bus = busses; bus; bus = bus->next)
for (dev = bus->devices; dev; dev = dev->next)
if ((dev->descriptor.idVendor == vendor) && (dev->descriptor.idProduct == product))
return dev;
return NULL;
}
This’ll be needed in addressing the device if you’re going to write a driver and not just inject packets to the device. I’m interested to hear how you end up using this device, lots of interesting use cases I’m sure. Good Luck!
November 30th, 2009 - 13:43
Can you perhaps post a link to snoopypro?
Can’t find it on sf.net
Thanks
November 30th, 2009 - 13:47
Any relation between this device and the IMFree?
November 30th, 2009 - 13:58
Nice post. I might have to go pick one of these up a wireless terminal would be pretty sweet.
November 30th, 2009 - 15:07
Hey bro,
Here’s a good version of snoopypro :
http://sourceforge.net/projects/usbsnoop/files/
Hey Eliot,
Without seeing the base station or snooping the traffic it’s hard to tell. With the imfree, it can multiplex up to 7 devices for one usb radio. The im-me doesn’t appear to have this ability, though I don’t have an extra one to check. If the radio protocol is well behaved (tdma style packet timing etc) they may be using the same hardware and just multiplexing the messages at the pc layer.
Hey max,
I’d be interested to hear what you come up with if you pick one up. GL
yeah they are quite cheap for the job they do
November 30th, 2009 - 16:30
Would you be able to use this as a mini wireless keyboard for a pc?
November 30th, 2009 - 16:35
What’s the issue with not releasing the code? You’ve already posted the reverse engineering data…
November 30th, 2009 - 16:46
Hey Blueman,
Sure, though you’d need to write a driver for this functionality. I’ve seen other small wireless keyboards that use standard usb keyboard HID drivers though, for about the same cost… so if that’s the use case you may be better going proprietary. On the other hand, this is a great opportunity to learn usb drivers etc. Good Luck!
November 30th, 2009 - 16:49
Hey Leigh,
The spreadsheet I released is how one could circumvent the proprietary software with a driver. A driver would actually circumvent the proprietary software. There may actually not be an issue (other than my half-ass driver code being embarrassing), but for the time being I’m most comfortable taking you most of the way there and pointing you in the right direction. Apologies if this is frustrating. As usual I’m more than happy to answer any specific questions you had. Good Luck!
November 30th, 2009 - 17:35
Is there anyway that you could send me the driver that you have created? I have no experience whatsoever with writing drivers and I don’t even know where to start.
November 30th, 2009 - 17:43
I would freely admit that this is a great idea.
Except for one problem, Amazon is selling them as part of a bundle deal, namely buying two devices, plus any extras, for a seperate firm.
Can you post a link for the individual one?
November 30th, 2009 - 17:59
Hey Archer,
Sure, if I get it cleaned up this weekend I’ll send it to you first.
Hey GCL,
Haven’t seen the bundle deal myself, I picked one up from amazon, looks like they may have some left. Hope you can snag one, GL
here
November 30th, 2009 - 18:33
@GCL
Single one:
http://www.amazon.com/gp/product/B000NX1LUM/ref=s9_simz_gw_s0_p21_i2?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=1J8PBDN7XE76X7PK0S0P&pf_rd_t=101&pf_rd_p=470938631&pf_rd_i=507846
November 30th, 2009 - 20:53
thanks for the link!
Anyone know where to grab one in germany ? (unfortunately not at amazon :/)
November 30th, 2009 - 22:50
i had contacted the original makers of the device about two years back. their name is arrayent. after explaining to them that i just wanted to reverse engineer their device for my own benefit, they emailed me full protocol specsheets, and example win32 hid code to interface with the dongle. i’ve used the device briefly back and forth, but it mostly sat after the thrill of bending its will wore off…
December 1st, 2009 - 00:22
Well I’ll be a bored Jedi Knight (and Time lord) two examples of the exact same page.
Thank you Hunter, and you too Max.
@Saturnnights
Would you be interested in sharing your findings on the little devil? Or did they insist on an NDA?
December 1st, 2009 - 00:30
Did you open this little toy to see what’s inside? It would be nice to see if there is any debug COM port or something and be able to use it as a RC COM port, similar to some BT boards that cost 50+ bucks.
December 1st, 2009 - 06:35
@gcl
they didn’t…really say anything in regards to the matter. the only hope was that whatever i was doing wouldn’t violate the sanction of a predator free communication environment. since i wasn’t using their software at all, i assured them all was good.
December 1st, 2009 - 16:12
What’s the battery time like on the console (usage, idle, charge time)?
I see some emoticons on the girltech website, do you know if they are stored on the console or transmitted to the device?
December 1st, 2009 - 18:53
Hey Wireghoul,
Don’t know about the battery life, still on my first set. I would be interested to know these questions as well.. I believe the emoticons are stored on the device, but as its paired with the usb before login the only emoticon I can safely say is coming from the device is the smiley face displayed on the error screen.
December 2nd, 2009 - 11:10
How about Rip Roar?
http://www.amazon.com/Manley-34727-Rip-Roar-Messanger/dp/B000P446BA/ref=pd_sim_t_4
December 2nd, 2009 - 11:11
Hey Skorianez,
I just ordered one of those yeah, I’ll let you know how it goes
December 2nd, 2009 - 19:22
So how hackable is the handheld IM-Me unit? Anyone cracked it open? At that price I’m fully expecting chip-under-blob packaging, cheap single-sided phenolic board and just maybe a serial programming port. Or we might get really really lucky…
December 2nd, 2009 - 19:26
Hey Jonathan,
Haven’t cracked one open myself, but you’re welcome to enter the hackaway 2009 to win one. I’d be interested to know what’s in there as well.
December 2nd, 2009 - 20:25
I ordered one, the first thing I will do is open it and look for serial ports and maybe useful chips (if not covered by the evil blob).
December 2nd, 2009 - 20:29
Nice that’ll be interesting, especially with the other knock-off devices floating around there may be some crossover.
December 4th, 2009 - 07:50
I ordered one from amazon, and just ripped open the USB dongle looking for a serial or i2c port to interface into an arduino.
It came open easily enough — pop the snap-on cover with a knife, then remove 6 screws.
The board itself consists of a male USB connector, two IC’s, and a few caps and SMT components. No evil blob.
One of the two IC’s is a TI cc1110 f32 system-on-chip with a few unpopulated footprints. One of those pairs appears to be the debug port, another is for an external oscillator.
The other is a cy7c63803 USB controller with no unpopulated headers.
Based on what I see, the best approach might be to snoop the SPI communication between the two chips. The pin spacing on the USB controller chip is certainly wide enough to make that possible.
December 4th, 2009 - 08:12
Great info Bill! That’s quite interesting. Looks like there is some activity with that SoC as well, someone’s posted source code for interfacing with sp1 on the TI cc1110 http://forum.allaboutcircuits.com/showthread.php?t=12485 . Good Luck!
December 4th, 2009 - 23:20
How about the device itself, not the USB receiver part?
I hope to get mine tomorrow, but it might come Monday.
December 5th, 2009 - 12:36
Ok, got mine today.
I opened the main unit, just on one side so far, and it has the TI cc1110 f32 on it, but also 5 soldering pads that can even be accessed through the battery compartment. I don’t know what they are yet, will test with the oscilloscope tonight.
December 5th, 2009 - 12:56
Hello!
Well mine arrived yesterday. It was expected Monday. I suspect that UPS decided to deliver it early because they thought it was ordered as a gift.
The TI series of SOC designed commo chips are an interesting ones. There are good docs on the TI site.
December 5th, 2009 - 18:36
After playing with the scope a bit, it does not seem that those connectors are COM ports, there is no signal going out. I didn’t trace to see what pins they go to though.
BTW, I was able to measure the current draw, and at 4.4v it seems to be just 8 mA with the backlight on. Probably less than that if the power LED is removed. However, the device was in stand by, not connected to the PC, so it is possible that the radio will draw more.
December 5th, 2009 - 18:51
Hunter, can you please e-mail me your source code for the tests you did with the IM-ME? Or even make them public? Since there is no encryption circumventing, and since it is done for the purpose of compatibility with other OSes, there is no DMCA clause that would apply.
December 5th, 2009 - 19:49
Ya, as soon as it’s cleaned up i’ll send it over.
December 8th, 2009 - 20:54
I can haz im-me driver code?
Probs best to just post it here if you’re giving it out – i have no clue how to go about making it
You could, alternatively, post a howto on making your own if you think that its risky to release code. I’m all for a howto!
–neg
December 9th, 2009 - 08:40
Hey neg,
That’s a good idea. I just got in the rip-roar, and it appears to be very similar to the im-me. I’ll write up a tutorial to walk you through, once I get a spot of free time
December 13th, 2009 - 22:32
This would make a nice HTPC / Media PC keyboard !
December 14th, 2009 - 17:28
totally would !
December 29th, 2009 - 17:33
I’d like to add my vote for a howto on writing a driver app for this device. I’ve had some luck reverse engineering other devices to work under Linux, but some help with this one would be most welcome. I’m planning on using it as a reminder unit by the front door, especially if I can find a way to flash the backlight remotely.
December 29th, 2009 - 17:45
Hey Caffeineated,
Right on. I’ve got my rip-roar in, just gotta find the time to write up the driver/tutorial for it. Sounds like an interesting use case. Not sure if you can flash the backlight remotely through the existing protocol, might end up needing a physical hack for that. Should be interesting either way. Good Luck!
January 5th, 2010 - 06:45
I’d be interested in seeing your code too! I’m attempting to develop an application (not a driver) to talk to the device. I’m rather new to USB programming, and I’m getting a nice report from the device every couple of seconds or so but haven’t figured out how to send data to it just yet.
January 10th, 2010 - 11:23
I’m attempting to write a driver for it right now to initialize it. Data can be sent to the device using libusb’s usb_control_msg function.
usb_control_msg(devh, 0×21, 0×09, 0×0200, 0, tmp, 2, 600)