Bluetooth Hacking?
Openbeacon Axbo

From OpenBeacon

Jump to: navigation, search


Contents

aXbo meets Sputnik

This document describes the protocol of the data which is transmitted wireless from a motion sensor to an aXbo sleep phase alarm clock. It describes the necessary components and protocols to read and evaluate this data. It also shows an example implementation on how to obtain and process the motions of an aXbo user by using the CCC Sputnik hardware platform.

The aXbo sleep phase alarm clock

Naturally each person has his/her own individual sleeping pattern, but there are some factors that mark the sleep of a healthy grown-up.


Sleep cycles


  • Each person goes through various sleeping cycles during sleep.
  • Each sleeping cycle, which lasts approx. 90 to 110 minutes, alternates with deep-sleep, light-sleep and REM-sleep.
  • REM (Rapid Eye Movement) is the phase in which you dream. Sleep gets less deep towards the morning and REM phases get distinctly longer.
  • There are also sleeping differences between the sexes. Women move more in their sleep but less intensive, whereas men move less but more intensive.
  • Both REM and deep sleeping phases are marked by almost no movements. If you move from a deep sleeping phase into a REM-phase and from a REM-phase into a deep sleeping phase your body movements get more active.


This is where aXbo comes in. The physical activity that characterises the various sleep phases is monitored, so that aXbo is able to calculate the optimal point at which to wake you. (taken from: http://www.axbo.com)

Hardware and software of the aXbo sleep phase alarm clock system

To measure the physical activities of a user the aXbo is using wireless motion sensors. These can be put on by using a wrist wrap. The aXbo can handle up to two motion sensors to wake two persons based on their individual sleep cycles:


aXbo with motion sensor


The hardware of a motion sensor

A motion sensor, which is put into the wrist band consists of the following hardware components:

  • Nordic Semiconductors NRF2402 2,4 GHz active RFID transmitter
  • main controller MSP430F1101A
  • two tip over switches, one for movements in X and one for movements in Y direction
  • a button to register the sensor with the aXbo and to disable an alarm
  • a fixed soldered and therefore not easily exchangeable CR2032 button cell (holds for about a year)

Here are some pictures from the inside of one of these motion sensors:

motion sensor for person 2


motion sensor for person 2

The hardware of the aXbo sleep phase clock main unit

aXbo main unit


The aXbo sleep phase alarm clock main unit consists mainly of:

  • Nordic Semiconductors NRF2401A transceiver
  • main controller MSP430F436
  • flash memory
  • 3 AAA rechargeable batteries
  • loud speaker
  • blue background light


Here are some pictures from the inside of the aXbo main unit:

aXbo from inside


aXbo from inside


The PC software for the aXbo sleep phase clock

During the night the aXbo is also recording your motions. It can hold data for about 2 weeks before the oldest data is automatically overwritten. The following picture shows an example of the Windows only software to read out and analyze your motions while you asleep:

aXbo PC software


The screenshot shows the movements of one person for the different directions in different colours. There seems to be a maximum of recordable movements of 100.


The aXbo protocol

The motion sensors are transmitting the movement data to the aXbo main unit. To be able to transmit the data wireless a NRF2402 transmitter is used. It is suggested to read the datasheet of the NRF2402 before reading on as chip specific functions like address and CRC calculations are mentioned. The following information have been obtained by intercepting transmissions of such a wireless motion sensor.

Setup parameters of the motion sensors

The basic setup (configuration word) of each NF2402 transmitter in each motion sensor is (person independent):

  • Freq. channel: 49
  • Transmit power: -10dbm
  • Crystal frequency: 16Mhz
  • Data rate: 1Mbps
  • ShockBurst: enabled
  • CRC: 16 bit CRC generation enabled
  • OnChip preamble: generation enabled


The basic transmission parameters for one package (6 bytes each) for each motion sensor are (person independent):

  • Address width: 2 bytes
  • Address: 0xBB 0xBB
  • Payload length: 4 bytes

Protocol of the motion sensors

Motions and buttons will result in packages being transmitted by the motion sensor. The same packages are not only send once but very often to assure successful transmission even in case of air collision. As earlier mentioned the payload is 4 bytes. The order of the bytes is the order like it will be read out from the buffer of an NRF2402 air compatible chip (e.g. NRF24L01).

byte function
0 movements y direction
1 movements x direction
2 package number / person indicator
3 package type


Movements bytes 0-1:

The number of movements can be determined by adding the lower 4 bits of the transmitted byte to the higher 4 bits. Example of a typical transmission in hex notation:

BC441241

BC are the movements for the y direction and 44 are the movements for the x direction. B+C=17 movements in y direction since the last transmitted package and 4+4=8 movements in x direction since the last transmitted package.


Package type byte 3:

This number describes what type of package was received. Until now the following package types could be identified and verified:


  • 0x40: movement (burst)

A movement has been detected after a long time (a few seconds) no movements were detected. Same package is sent many times (32) with rising package number.

  • 0x41: repeated movement

A movement is still going on and the movements in bytes 0-1 can be used how often the person moved since the last package. Same package is sent many times (~5) with same package number.

  • 0x44: button pressed (burst)

Button was pressed and released shortly. Package also contains movement date since last package. Same package is sent many times (32) with rising package number.

  • 0x45: sensor unregistered / disabled (burst)

Button was pressed and hold long. This lets the aXbo detect that the sensor was disabled (e.g. you do not need the 2nd person sensor). After receiving this the sensor goes into a deep sleep mode, where no packages are sent at all until it is registered again. Package also contains movement date since last package. Same package is sent many times (32) with rising package number.

  • 0x46: sensor registered / enabled (burst)

Button was pressed and hold long. This lets the aXbo detect that the sensor was enabled (e.g. you enabled the 2nd person sensor). After receiving this the sensor leaves a deep sleep mode, where no packages are sent at all until it is registered. Package also contains movement date since last package. Same package is sent many times (32) with rising package number.

  • 0x47: button pressed and change of package number sequence (burst)

This changes the sequence numbering of the package number. See package number description.


Package number byte 2:

The package number has two functions. It lets you keep track of how many packages have been transmitted and it tells you which persons sensor this package was transmitted from.


Keeping track of the packages:

The sensor has an internal package counter. It counts 32 packages and starts over again. The ranges for these numbers are sensor person dependent (see below). For package types with bursts (see above) the whole range of all possible package numbers are sent but the internal package counter is just increased by one as a burst package is counted as one package.

Example of consecutive messages :


11000040  (sent 32 times with all package numbers from 0x00-0x1F)

…                package counter + 1 (=0x09)

11001F40

12000941  (sent ~5 times with same package number / package counter)

…               package counter + 1 (=0x0A)

12000941

22000A41  (sent ~5 times with same package number / package counter)

…               package counter + 1 (=0x0B)

22000A41

11000040  (sent 32 times with all package numbers from 0x00-0x1F)

…               package counter + 1 (=0x0C)

11001F40

21000C41  (sent ~5 times with same package number / package counter)

…               package counter + 1 (=0x0C)

21000C41


Sensor identification:

The package numbers also tells you from which persons sensor the package is from. Each person has different ranges of package numbers, identifying them:

Package number ranges for sensor of person 1:

0x00…0x1F or 0x40…0x5F or 0x80…0x9F or 0xC0…0xDF

Package number ranges for sensor of person 2:

0x20…0x3F or 0x60…0x7F or 0xA0…0xBF or 0xE0…0xFF


The CCC Sputnik

To be able to read the data from the aXbo motion sensor the CCC Sputnik hardware could be used (http://www.openbeacon.org). It is a PIC16F684 with an NF24L01 RFID chip on one PCB:


CCC Sputnik transceiver tag


As all the layouts, designs and software open source, it will not describe them here, but refer to the link mentioned above. To connect the Sputnik with the PC a PL2303 based USB/serial adapter was used. The cable was cut and the power supply from the USB port was used to connect the Sputnik and a level changer to support RS232 levels. As the Sputnik only supports until 3,6V, 3 diodes were used to reduce the voltage to about 3,3V. The following pseudo schematic shows this circuit:


CCC Sputnik PC connection


This is a picture of such a system on a proto board:


the circuit on a proto board ready to use


Air compatibility of the NRF24L01

For the NRF24L01 a setup with the mentioned parameters above is not officially possible. It does not allow an address width of 2 bytes. The official minimum address width is 3 bytes. Reading the datasheet it can be noted, that the state ‘00’ for the address width is defined as illegal. In fact this isn’t really true! This is the state for the address width of 2 bytes.

Example Code

The reference source code is a simple example for initializing the NRF24L01 of the Sputnik and putting it into receive mode to receive all packages from the aXbo motion sensors