{"id":914,"date":"2016-06-22T16:04:11","date_gmt":"2016-06-22T15:04:11","guid":{"rendered":"http:\/\/ofalcao.pt\/blog\/?p=914"},"modified":"2016-06-22T16:23:42","modified_gmt":"2016-06-22T15:23:42","slug":"wedo-2-0-reverse-engineering","status":"publish","type":"post","link":"https:\/\/ofalcao.pt\/blog\/2016\/wedo-2-0-reverse-engineering","title":{"rendered":"WeDo 2.0 – reverse engineering"},"content":{"rendered":"
This post is part 1 of 6 of \u00a0WeDo 2.0 - reverse engineering<\/a><\/div>

This post tries to gather all the information I collected in the last weeks related to the WeDo 2.0.<\/p>\n

I’m not a programmer but I’m a very stubborn guy so after I managed to get my linux systems (my Ubuntu laptop, some Raspberry Pi’s and my two Mindstorms EV3) controlling the SBrick I told to myself: I’m gonna make the same with this new WeDo 2.0 system no matter what it takes.<\/p>\n

So first things first: let’s use my Android mobile to inspect the WeDo 2.0 Hub. Nordic has a very good (and free) app that I like to use: nRF Master Control Panel (recently renamed to nRF Connect). After connecting to the Hub we find 6 services:<\/p>\n

\"BLE<\/a><\/p>\n

Some of this services, like “Battery Service” are known BLE services so [hopefully] it will be easy to use.<\/p>\n

There’s also a very important finding at the top:<\/p>\n

“U0001 A0:E6:F8:1E:58:57<\/p>\n

“A0:E6:F8:1E:58:57” is the Bluetooth address of my Hub (similar to the MAC Address of every network device). It will be used *a lot* in the rest of this post.<\/p>\n

And “U0001” is the friendly name that the Hub advertises – that’s the name that shows up in the LEGO Education WeDo 2.0 App when connecting to the Hub:<\/p>\n

\"WeDo<\/a><\/p>\n

A note about this name: before I finally managed to make the LEGO Education WeDo 2.0 App work in my Android phone, my Hub advertised itself as “LPF2 Smart Hub 2 I\/O”. So the LEGO App changed it to “u0001”, probably at the first time it connected to it (but since my Hub was first used by 3 other AFOL’s at Paredes de Coura I’m not sure if the process is automatic or the user is given some kind of option).<\/p>\n

So the default (factory set) name of the Hub is “LPF2 Smart Hub 2 I\/O” – LEGO Power Functions 2 Smart Hub 2 I\/O”. Not much to speculate here: LEGO announced that Power Functions and Mindstorms will adopt a new plug type so new devices are expected, this is just the first one. But “Smart Hub 2 I\/O” is interesting… does that means that there will be other Smart Hubs? Perhaps even a “Smart Hub 4 I\/O”? That would answer some of the points I have been discussing with Fernando Conchas like “what’s the use for a 4.5 Volt device in LEGO Technic unless there’s also another device with better power features just waiting to come out”?<\/p>\n

Now let’s look deeper to those BLE services…<\/p>\n

I can use the nRF App and take a lot of screenshots but now that I know the BT address I will switch to my Ubuntu laptop and use 2 of the available BlueZ (the native Linux Bluetooth stack) functions, ‘hcitool’ and ‘gatttool’<\/p>\n

$ sudo hcitool -i hci0 lescan\r\nLE Scan ...\r\nA0:E6:F8:1E:58:57 (unknown)\r\nA0:E6:F8:1E:58:57 LPF2 Smart Hub 2 I\/O<\/pre>\n
sudo gatttool -i hci0 -b A0:E6:F8:1E:58:57 --primary\r\nattr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb\r\nattr handle = 0x0008, end grp handle = 0x000b uuid: 00001801-0000-1000-8000-00805f9b34fb\r\nattr handle = 0x000c, end grp handle = 0x002f uuid: 00001523-1212-efde-1523-785feabcd123\r\nattr handle = 0x0030, end grp handle = 0x003e uuid: 00004f0e-1212-efde-1523-785feabcd123\r\nattr handle = 0x003f, end grp handle = 0x0045 uuid: 0000180a-0000-1000-8000-00805f9b34fb\r\nattr handle = 0x0046, end grp handle = 0xffff uuid: 0000180f-0000-1000-8000-00805f9b34fb<\/pre>\n
The ‘gatttool’ command is a powerfull tool for BLE – in the past, without a proper BLE library for python, I used it (through python system calls) to talk with the SBrick. Clumsy but… hey, I said I’m not a programmer \ud83d\ude09<\/p>\n
The ‘gatttool’ can run in an interactive mode that allows us to establish a connection and keep it until we disconnect instead of making a new connection each time we want to test a command:<\/p>\n
$ sudo gatttool -i hci0 -I\r\n[\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ][LE]> connect A0:E6:F8:1E:58:57\r\nAttempting to connect to A0:E6:F8:1E:58:57\r\nConnection successful\r\n[A0:E6:F8:1E:58:57][LE]><\/pre>\n
In this “interactive” session we just send ‘primary’ to get the same output as using the command with ‘–primary’ option [but sometimes the commands differ a bit, so use ‘help’ and ‘–help’ to know what to use.<\/p>\n
So the ‘primary’ command gets a list of the primary services offered by the WeDo 2.0 Hub. Of course, those are the same 6 services found by the Nordic app but that screenshot looks much better as Nordic developers added lots of intelligence to it.<\/p>\n
First service:<\/p>\n
attr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb<\/pre>\n
The Nordic app shows just:<\/p>\n
Generic Access
\nUUID: 0x1800
\nPRIMARY SERVICE<\/p>\n
So this service has 7 handles assigned (from 0x0001 to 0x0007) and serves a well know service (the ‘Generic Access<\/a>‘) so it’s UUID is shortened to just 0x1800 instead of ‘00001800-0000-1000-8000-00805f9b34fb’.<\/p>\n
Bluetooth specification for ‘Generic Access’ defines 5 properties:<\/p>\n