SlideShare ist ein Scribd-Unternehmen logo

How I hacked the Google Daydream controller

M
Matteo Pisani

Reversing and making it compatible with Apple iOS devices.

Software
1 von 14
Downloaden Sie, um offline zu lesen
Rome, December 11th 2016 I am Matteo Pisani , CTO and co-founder of Remoria VR (www.remoriavr.com), a startup committed to develop input devices for mobile virtual reality. Creative, curious and inspired software developer with hacking attitude and strong disposition toward reverse-engineering. I matured several years of experience in IoT, embedded systems development and in bridging the gap between the physical reality and the digital world. E-mail: matteo.pisani@reamoriavr.com LinkedIn: https://it.linkedin.com/in/matteopisani www.remoriavr.com How I hacked the Google Daydream Controller ABOUT ABSTRACT
Mobile virtual reality is growing rapidly. The Google Daydream platform was launched just last month and it suggested that compelling VR experiences might become widely accessible to consumers sooner than expected. Today, solutions like smartphone + headset + bluetooth controller are very appreciated by developers, media and entertainment companies, but... There's one problem: compatibility. As announced, the Daydream controller binds only with a bunch of Daydream-ready smartphones running Android 7.0 Nougat. Moreover, as reported by Clay Bavor (VP, Virtual Reality at Google), the Google Daydream "It’s not currently compatible with iOS and won’t be for several years probably.". Since I like challenges I decided to hack the Google Daydream controller using code, reverse- engineering skills and some math, to extend the compatibility also on Apple iOS devices: it was a success. Google Daydream controller works via Bluetooth LE (Low Energy) but I wasn't able to discover it in Bluetooth settings of my iPhone 5, so I used the BlueCap (github.com/troystribling/BlueCapapp) which allows to easily implement Central and Peripheral applications, serialize and deserialize messages exchanged with bluetooth devices and define reusable GATT profile definitions. ANALYSIS
I had a look at the data available for each Service: there were known services like Device Information and Battery but I also found something intresting inside an uknown one, the FE55: As soon I explored inside the first Characteristic with the UUID 00000001-1000-1000-8000-00805f9b34fb and turning On the Notifications, BlueCap started showing BLE packets. Waving the Daydream controller in the air, I could see the incoming data changing in real-time. Same thing happened by touching the pad on top or randomly by pressing the buttons. According to Bluetoth LE standard each packet should weigh 20 bytes: 7be85b3ff13b48003bf1ffa00000000000000070 The packets anatomy revealed that they were encoded and represented into Hexadecimal notation. Behind the masked data laid the whole status of the controller, including accelerometer, gyroscope,
magnetometer, touchpad, buttons and more. The first step was to setup a testing environment to facilitate all the debug processes. I decided to start from scratch: I developed a sandbox with Apple XCode (working on a MacBook Pro) and an iOS app (with some Objective-C) that included the CoreBluetoothCoreBluetooth.h framework (developer.apple.com/reference/corebluetooth). Thanks to this, I could establish and manage communications and data flows over Bluetooth GATT protocol. After choosing the Service FE55 and requesting notifications for the Characteristic 00000001-1000-1000- 8000-00805f9b34fb I was able to get the data output flowing through the console: Once the data was collected and opportunely decoded I decided to represent it into a 3D view. So, I migrated all the iOS native code to a Hybrid environment wrapping it all into a Cordova plugin: thanks to this process, I was able to save time and perform several optimizations. The use of JavaScript reduced the overall complexity, speeded up the experiments and allowed me to improve the data visualization embedding also thanks to the amazing A-Frame WebGL framework (aframe.io) inside a HTML5+CSS3 view. (the environment stack) ENVIRONMENT
With the use of Blender, the open-source 3D creation suite, I was able to edit a bulky Google Daydream controller model fund on the internet, making it suitable for my purpose. After the editing, I exported it to an A-Frame compliant format (*.obj). In few lines of code, I was able to finish the whole setup and this was the result:
Now for the hardest part: understanding the raw data. Starting from an average knowledge about Hexadecimal to Decimal conversion, I split up the 40 chars in 20 chunks of 2 chars then converted to Binary: 7b e8 5b 3f f1 3b 48 00 3b f1 ff a0 00 00 00 00 00 00 00 70 I just wanted to give it a try, so I tested an online Hexadecimal to Decimal converter and this was the output Later, I also tried the Decimal to Binary converter. Bringing everything to JavaScript var rawdata= "7be85b3ff13b48003bf1ffa00000000000000070", bitchain = ""; for(var i = 2; i <= 40; i+=2) bitchain += parseInt(rawdata.slice(i-2,i),16).toString(2); console.log(bitchain,'length: ' + bitchain.length); The output expected was 160 bits length chain (8 bits * 20 chunks) for each packet: 11110111110100010110111111111111000111101110010 00011101111110001111111111010000000000001110000 length: 94 I got only 94 instead of 160 bits expected so I realized that something was wrong. After going deep into the issue, I found that the hexadecimal values converted in bits sometimes produced results shorter than 8, in other words, were not stuffed in groups of 8: the zeropad to 8 solved all the problems. Once I addedd the zeropad method and changed the code in: REVERSING
function zeropad(n, width, z) { z = z || '0'; n = n + ''; return n.length >= width ? n : new Array(width - n.length + 1).join(z) + n; } var rawdata= "7be85b3ff13b48003bf1ffa00000000000000070", bitchain = ""; for(var i = 2; i <= 40; i+=2) bitchain += zeropad(parseInt(rawdata.slice(i-2,i),16).toString(2),8); console.log(bitchain,'length: ' + bitchain.length); this time the expected result was correct. 0111101111101000010110110011111111110001 0011101101001000000000000011101111110001 1111111110100000000000000000000000000000 0000000000000000000000000000000001110000 length: 160 After a couple of sleepless nights I started to give a shape to this mesmerizing bitchain: a comprehensive knowledge about IMU (Inertial Measurement Unit) and MEMS (Micro Electro-Mechanical Systems) sensors paired with a great patience and good observation skills helped me to figure out the sense of what was happening. The crucial points were: observate all the oscillating bits; play a little more with offests. This allowed me to recognize, extract and categorize the values. I reported all of them below: SENSORS (12 bits for the value + 1 bit for the sign)
var gyroscope = { x : parseInt(rawdata.slice(14,27),2), y : parseInt(rawdata.slice(27,40),2), z : parseInt(rawdata.slice(40,53),2) }; var magnetometer = { x : parseInt(rawdata.slice(53,66),2), y : parseInt(rawdata.slice(66,79),2), z : parseInt(rawdata.slice(79,92),2) }; var accelerometer = { x : parseInt(rawdata.slice(92,105),2), y : parseInt(rawdata.slice(105,118),2), z : parseInt(rawdata.slice(118,131),2) }; TOUCHPAD (8 bits for the value) var touchpad = { x : rawdata.slice(131,139), y : rawdata.slice(139,147) }; BUTTONS (1 bit for the value) var buttons = { app: rawdata.slice(147,148), home : rawdata.slice(148,149), volumeUp : rawdata.slice(149,150), volumeDown : rawdata.slice(150,151), touchClick : rawdata.slice(151,152) }; Once I achived this goal, I tried to manipulate all these data to give a coherent orientation to the 3D Google Daydream controller model, through the A-Frame canvas: unfortunately the output on the screen resulted in a tilting controller with meaningless movements.
<a-scene> <a-camera id="camera" position="0 0 10"></a-camera> <a-sky color="#4E4E4E"></a-sky> <a-entity id="daydream" obj-loader="src: url(./DayDream_Controller.obj); mtl: url(./DayDream_Controller.mtl);" position="0 0 0" rotation="0 0 0" scale="0.1 0.1 0.1"> </a-entity> </a-scene> <script> document.querySelector('a-entity[id=daydream]'). setAttribute('rotation', GoogleDayDreamController.getZ() + ' ' + GoogleDayDreamController.getY() + ' ' + GoogleDayDreamController.getX(); </script> Reversing some of the *.apk of the Google VR Services (found inside the Google Pixel OS and that allows native communication with Google Daydream controller via BLE), I was able to get my hands on useful information. Through reverse-engineering of Android Java app using apktool, dex2jar, jd-gui to convert *.apk file to .java, it was possible to: understand how a particular UI in an App is constructed reading AndroidManifest.xml, permissions, activities, intents etc in the App discover native libraries and images used in that App find obsfucated code (Android SDK, by default, uses ProGuard tool which shrinks, optimizes, and obfuscates the code by removing unused code and renaming classes, fields, and methods with semantically obscure names). The tools I used: ApkTool (from http://code.google.com/p/android-apktool/) to extract AndroidManifest.xml and everything in res folder (layout xml files, images, htmls used on webview etc..), run the following command: apktool d sampleAndroidApp.apk TOOLS
It also extracts the .smali file of all .class files, but which is difficult to read. Dex2jar (from http://code.google.com/p/dex2jar/) to generate .jar file from *.apk file, we need JD-GUI to view the source code from this .jar. Run the following command: dex2jar sampleAndroidApp.apk JD-GUI (from http://java.decompiler.free.fr/?q=jdgui) it decompiles the .class files (obsfucated, in case of Android app, but readable original code is obtained in case of other .jar file). i.e., we get .java back from the application. Just Run the jd-gui executables on your OS and after, File->Open to view Java code from .jar or .class file. In particular, I found interesting information inside: com.google.android.vr.home.apk com.google.vr.vrcore.apk
Collecting all my developer-thoughts and making them fit together, I realized that the best solution was to use the AHRS (Attitude Heading Reference Systems) calculation for JavaScript (npmjs.com/package/ahrs). This calculates the attitude and heading for a device with all of the following sensors: magnetometer, gyroscope and accelerometer. The Madgwick or Mahony algorithms can be used to filter data in real time from these sensors, obtaining a great accuracy.
<script> var AHRS = require('ahrs'); var madgwick = new AHRS({ /* * The sample interval, in Hz. */ sampleInterval: 60, /* * Choose from the `Madgwick` or `Mahony` filter. */ algorithm: 'Madgwick', /* * The filter noise value, smaller values have * smoother estimates, but have higher latency. * This only works for the `Madgwick` filter. */ beta: 0.4, /* * The filter noise values for the `Mahony` filter. */ kp: 0.5, ki: 0 }); madgwick.update(gyroscope.x, gyroscope.y, gyroscope.z, accelerometer.x, accelerometer.y, accelerometer.z, magnetometer.x, magnetometer.y, magnetometer.z); var euler = madgwick.toEulerAnglesDegree(); </script> The getEulerAnglesDegrees method returns an object with the Euler angles (heading/yaw, pitch, roll), in degrees. The return Object contains: heading is from north, going west (about z-axis). pitch is from vertical, going forward (about y-axis). roll is from vertical, going right (about x-axis). Finally, it was possible for me to set the model orientation to the right coordinates
<script> document.querySelector('a-entity[id=daydream]') .setAttribute('rotation', euler.heading + ' ' + euler.pitch + ' ' + euler.roll ); </script> "A picture is worth a thousand words" (think of a video!). The result was brilliant: as you can see in the YouTube video below that I recorded to show the potential of the entire hack www.youtube.com/watch?v=QKNWqBFlR1M The responsiveness is extremely fluid, according to the PPS (packets per second) parameter, ~ 60 are enough to cover a VR game or a 3D experience as well. RESULT
The scenarios that this hack opens are various. Now that the secret sauce has been exposed and the compatibility extended to iOS devices, it is possible to replicate the job to include all the desktop platforms. This would help the developers debugging their own software in a desktop environment, without passing through deploying an app on the smartphone every time. On the Android side, this hack will unleash the whole potential of the Daydream controller as it would be no longer restricted to the OS Nougat 7.0. In this perspective, it is possible to see the Daydream controller working with older versions of Android OS. On the other hand, binding this controller with open source platforms like Raspberry PI or Arduino, will extend the horizons of makers and creatives. Do you imagine using the Daydream controller to pilot your drone or your RC-car, playing a virtual drumset or maybe, making some sounds with a virtual synth? www.remoriavr.com CONCLUSION

Empfohlen

Performance #1 memory
Performance #1 memoryPerformance #1 memory
Performance #1 memoryVitali Pekelis
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)Julien SIMON
 
Unity3 d devfest-2014
Unity3 d devfest-2014Unity3 d devfest-2014
Unity3 d devfest-2014Vincenzo Favara
 
The Ring programming language version 1.7 book - Part 63 of 196
The Ring programming language version 1.7 book - Part 63 of 196The Ring programming language version 1.7 book - Part 63 of 196
The Ring programming language version 1.7 book - Part 63 of 196Mahmoud Samir Fayed
 
Encoder + decoder
Encoder + decoderEncoder + decoder
Encoder + decoderCOMSATS Abbottabad
 
Sequence diagrams
Sequence diagramsSequence diagrams
Sequence diagramsAlfonso Torres
 
The quantum computers are coming - VoxxedDays Bristol 2018
The quantum computers are coming - VoxxedDays Bristol 2018The quantum computers are coming - VoxxedDays Bristol 2018
The quantum computers are coming - VoxxedDays Bristol 2018Alasdair Collinson
 
The Ring programming language version 1.10 book - Part 70 of 212
The Ring programming language version 1.10 book - Part 70 of 212The Ring programming language version 1.10 book - Part 70 of 212
The Ring programming language version 1.10 book - Part 70 of 212Mahmoud Samir Fayed
 

Empfohlen

Performance #1 memory
Performance #1 memoryPerformance #1 memory
Performance #1 memoryVitali Pekelis
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)Julien SIMON
 
Unity3 d devfest-2014
Unity3 d devfest-2014Unity3 d devfest-2014
Unity3 d devfest-2014Vincenzo Favara
 
The Ring programming language version 1.7 book - Part 63 of 196
The Ring programming language version 1.7 book - Part 63 of 196The Ring programming language version 1.7 book - Part 63 of 196
The Ring programming language version 1.7 book - Part 63 of 196Mahmoud Samir Fayed
 
Encoder + decoder
Encoder + decoderEncoder + decoder
Encoder + decoderCOMSATS Abbottabad
 
Sequence diagrams
Sequence diagramsSequence diagrams
Sequence diagramsAlfonso Torres
 
The quantum computers are coming - VoxxedDays Bristol 2018
The quantum computers are coming - VoxxedDays Bristol 2018The quantum computers are coming - VoxxedDays Bristol 2018
The quantum computers are coming - VoxxedDays Bristol 2018Alasdair Collinson
 
The Ring programming language version 1.10 book - Part 70 of 212
The Ring programming language version 1.10 book - Part 70 of 212The Ring programming language version 1.10 book - Part 70 of 212
The Ring programming language version 1.10 book - Part 70 of 212Mahmoud Samir Fayed
 
Knock, knock, who is there? Doze.
Knock, knock, who is there? Doze.Knock, knock, who is there? Doze.
Knock, knock, who is there? Doze.Yonatan Levin
 
The Ring programming language version 1.8 book - Part 56 of 202
The Ring programming language version 1.8 book - Part 56 of 202The Ring programming language version 1.8 book - Part 56 of 202
The Ring programming language version 1.8 book - Part 56 of 202Mahmoud Samir Fayed
 
Panoramic Video in Environmental Monitoring Software Development and Applica...
Panoramic Video in Environmental Monitoring Software Development and Applica...Panoramic Video in Environmental Monitoring Software Development and Applica...
Panoramic Video in Environmental Monitoring Software Development and Applica...pycontw
 
Average- An android project
Average- An android projectAverage- An android project
Average- An android projectIpsit Dash
 
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)Pujana Paliyawan
 
Non stop random2b
Non stop random2bNon stop random2b
Non stop random2bphanhung20
 
Code Pad
Code PadCode Pad
Code PadChris Parnin
 
rx.js make async programming simpler
rx.js make async programming simplerrx.js make async programming simpler
rx.js make async programming simplerAlexander Mostovenko
 
DAHO.AM 2015 - Abusing phones to make the internet of things
DAHO.AM 2015 - Abusing phones to make the internet of thingsDAHO.AM 2015 - Abusing phones to make the internet of things
DAHO.AM 2015 - Abusing phones to make the internet of thingsJan Jongboom
 
The Ring programming language version 1.5.4 book - Part 59 of 185
The Ring programming language version 1.5.4 book - Part 59 of 185The Ring programming language version 1.5.4 book - Part 59 of 185
The Ring programming language version 1.5.4 book - Part 59 of 185Mahmoud Samir Fayed
 
Daydream presentation
Daydream presentationDaydream presentation
Daydream presentationDivya sivakumar
 
Daydreaming
DaydreamingDaydreaming
Daydreaminglefthornofanantler
 
Introduction to Google Daydream
Introduction to Google DaydreamIntroduction to Google Daydream
Introduction to Google DaydreamRobert Nyman
 
Google Pixel - Phone by Google.
Google Pixel - Phone by Google.Google Pixel - Phone by Google.
Google Pixel - Phone by Google.techugo
 
Google Daydream VR
Google Daydream VRGoogle Daydream VR
Google Daydream VRExtentia Information Technology
 
Google tech & products
Google tech & productsGoogle tech & products
Google tech & productsRobert Nyman
 
Google Cardboard Virtual Reality
Google Cardboard Virtual RealityGoogle Cardboard Virtual Reality
Google Cardboard Virtual RealityVicky VikRanth
 
5分鐘看 Google新機發表會整理
5分鐘看 Google新機發表會整理5分鐘看 Google新機發表會整理
5分鐘看 Google新機發表會整理Werboy Lin
 
Virtual reality
Virtual realityVirtual reality
Virtual realitymartinasthubert
 
Final presentation of virtual reality by monil
Final presentation of virtual reality by monilFinal presentation of virtual reality by monil
Final presentation of virtual reality by monilritik456
 
Project loon.ppt
Project loon.pptProject loon.ppt
Project loon.pptSahil Ronaldo
 
The Emerging Virtual Reality Landscape: a Primer
The Emerging Virtual Reality Landscape: a PrimerThe Emerging Virtual Reality Landscape: a Primer
The Emerging Virtual Reality Landscape: a PrimerSim Blaustein
 

Weitere ähnliche Inhalte

Was ist angesagt?

Knock, knock, who is there? Doze.
Knock, knock, who is there? Doze.Knock, knock, who is there? Doze.
Knock, knock, who is there? Doze.Yonatan Levin
 
The Ring programming language version 1.8 book - Part 56 of 202
The Ring programming language version 1.8 book - Part 56 of 202The Ring programming language version 1.8 book - Part 56 of 202
The Ring programming language version 1.8 book - Part 56 of 202Mahmoud Samir Fayed
 
Panoramic Video in Environmental Monitoring Software Development and Applica...
Panoramic Video in Environmental Monitoring Software Development and Applica...Panoramic Video in Environmental Monitoring Software Development and Applica...
Panoramic Video in Environmental Monitoring Software Development and Applica...pycontw
 
Average- An android project
Average- An android projectAverage- An android project
Average- An android projectIpsit Dash
 
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)Pujana Paliyawan
 
Non stop random2b
Non stop random2bNon stop random2b
Non stop random2bphanhung20
 
rx.js make async programming simpler
rx.js make async programming simplerrx.js make async programming simpler
rx.js make async programming simplerAlexander Mostovenko
 
DAHO.AM 2015 - Abusing phones to make the internet of things
DAHO.AM 2015 - Abusing phones to make the internet of thingsDAHO.AM 2015 - Abusing phones to make the internet of things
DAHO.AM 2015 - Abusing phones to make the internet of thingsJan Jongboom
 
The Ring programming language version 1.5.4 book - Part 59 of 185
The Ring programming language version 1.5.4 book - Part 59 of 185The Ring programming language version 1.5.4 book - Part 59 of 185
The Ring programming language version 1.5.4 book - Part 59 of 185Mahmoud Samir Fayed
 

Was ist angesagt? (10)

Knock, knock, who is there? Doze.
Knock, knock, who is there? Doze.Knock, knock, who is there? Doze.
Knock, knock, who is there? Doze.
 
The Ring programming language version 1.8 book - Part 56 of 202
The Ring programming language version 1.8 book - Part 56 of 202The Ring programming language version 1.8 book - Part 56 of 202
The Ring programming language version 1.8 book - Part 56 of 202
 
Panoramic Video in Environmental Monitoring Software Development and Applica...
Panoramic Video in Environmental Monitoring Software Development and Applica...Panoramic Video in Environmental Monitoring Software Development and Applica...
Panoramic Video in Environmental Monitoring Software Development and Applica...
 
Average- An android project
Average- An android projectAverage- An android project
Average- An android project
 
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
 
Non stop random2b
Non stop random2bNon stop random2b
Non stop random2b
 
Code Pad
Code PadCode Pad
Code Pad
 
rx.js make async programming simpler
rx.js make async programming simplerrx.js make async programming simpler
rx.js make async programming simpler
 
DAHO.AM 2015 - Abusing phones to make the internet of things
DAHO.AM 2015 - Abusing phones to make the internet of thingsDAHO.AM 2015 - Abusing phones to make the internet of things
DAHO.AM 2015 - Abusing phones to make the internet of things
 
The Ring programming language version 1.5.4 book - Part 59 of 185
The Ring programming language version 1.5.4 book - Part 59 of 185The Ring programming language version 1.5.4 book - Part 59 of 185
The Ring programming language version 1.5.4 book - Part 59 of 185
 

Andere mochten auch

Introduction to Google Daydream
Introduction to Google DaydreamIntroduction to Google Daydream
Introduction to Google DaydreamRobert Nyman
 
Google Pixel - Phone by Google.
Google Pixel - Phone by Google.Google Pixel - Phone by Google.
Google Pixel - Phone by Google.techugo
 
Google tech & products
Google tech & productsGoogle tech & products
Google tech & productsRobert Nyman
 
Google Cardboard Virtual Reality
Google Cardboard Virtual RealityGoogle Cardboard Virtual Reality
Google Cardboard Virtual RealityVicky VikRanth
 
5分鐘看 Google新機發表會整理
5分鐘看 Google新機發表會整理5分鐘看 Google新機發表會整理
5分鐘看 Google新機發表會整理Werboy Lin
 
Final presentation of virtual reality by monil
Final presentation of virtual reality by monilFinal presentation of virtual reality by monil
Final presentation of virtual reality by monilritik456
 
The Emerging Virtual Reality Landscape: a Primer
The Emerging Virtual Reality Landscape: a PrimerThe Emerging Virtual Reality Landscape: a Primer
The Emerging Virtual Reality Landscape: a PrimerSim Blaustein
 

Andere mochten auch (14)

Daydream presentation
Daydream presentationDaydream presentation
Daydream presentation
 
Daydreaming
DaydreamingDaydreaming
Daydreaming
 
Introduction to Google Daydream
Introduction to Google DaydreamIntroduction to Google Daydream
Introduction to Google Daydream
 
Google Pixel - Phone by Google.
Google Pixel - Phone by Google.Google Pixel - Phone by Google.
Google Pixel - Phone by Google.
 
Google Daydream VR
Google Daydream VRGoogle Daydream VR
Google Daydream VR
 
Google tech & products
Google tech & productsGoogle tech & products
Google tech & products
 
Google Cardboard Virtual Reality
Google Cardboard Virtual RealityGoogle Cardboard Virtual Reality
Google Cardboard Virtual Reality
 
5分鐘看 Google新機發表會整理
5分鐘看 Google新機發表會整理5分鐘看 Google新機發表會整理
5分鐘看 Google新機發表會整理
 
Virtual reality
Virtual realityVirtual reality
Virtual reality
 
Final presentation of virtual reality by monil
Final presentation of virtual reality by monilFinal presentation of virtual reality by monil
Final presentation of virtual reality by monil
 
Project loon.ppt
Project loon.pptProject loon.ppt
Project loon.ppt
 
The Emerging Virtual Reality Landscape: a Primer
The Emerging Virtual Reality Landscape: a PrimerThe Emerging Virtual Reality Landscape: a Primer
The Emerging Virtual Reality Landscape: a Primer
 
Virtual Reality
Virtual RealityVirtual Reality
Virtual Reality
 
Virtual Reality
Virtual RealityVirtual Reality
Virtual Reality
 

Ähnlich wie How I hacked the Google Daydream controller

Augmented reality in web rtc browser
Augmented reality in web rtc browserAugmented reality in web rtc browser
Augmented reality in web rtc browserALTANAI BISHT
 
TP_Webots_7mai2021.pdf
TP_Webots_7mai2021.pdfTP_Webots_7mai2021.pdf
TP_Webots_7mai2021.pdfkiiway01
 
426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer Tools426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer ToolsMark Billinghurst
 
Neural network image recognition
Neural network image recognitionNeural network image recognition
Neural network image recognitionOleksii Sekundant
 
DIY: Computer Vision with GWT.
DIY: Computer Vision with GWT.DIY: Computer Vision with GWT.
DIY: Computer Vision with GWT.JooinK
 
DIY- computer vision with GWT
DIY- computer vision with GWTDIY- computer vision with GWT
DIY- computer vision with GWTFrancesca Tosi
 
Analyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioAnalyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioPVS-Studio
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
.Net Gadgeteer
.Net Gadgeteer .Net Gadgeteer
.Net Gadgeteer Wade Zhu
 
Migrating your Web app to Virtual Reality
Migrating your Web app to Virtual RealityMigrating your Web app to Virtual Reality
Migrating your Web app to Virtual RealityDenis Radin
 
Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...
Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...
Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...Codemotion
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Massimo Oliviero
 
Better With Friends: Android+NFC+Arduino
Better With Friends: Android+NFC+ArduinoBetter With Friends: Android+NFC+Arduino
Better With Friends: Android+NFC+ArduinoPearl Chen
 
Lecture 12 - Maps, AR_VR_aaaaHardware.pptx
Lecture 12 - Maps, AR_VR_aaaaHardware.pptxLecture 12 - Maps, AR_VR_aaaaHardware.pptx
Lecture 12 - Maps, AR_VR_aaaaHardware.pptxNgLQun
 
HTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymoreHTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymoreRemy Sharp
 
COSC 426 Lect. 3 -AR Developer Tools
COSC 426 Lect. 3 -AR Developer ToolsCOSC 426 Lect. 3 -AR Developer Tools
COSC 426 Lect. 3 -AR Developer ToolsMark Billinghurst
 
a friend in need-a js indeed / Yonatan levin
a friend in need-a js indeed / Yonatan levina friend in need-a js indeed / Yonatan levin
a friend in need-a js indeed / Yonatan levingeektimecoil
 

Ähnlich wie How I hacked the Google Daydream controller (20)

Augmented reality in web rtc browser
Augmented reality in web rtc browserAugmented reality in web rtc browser
Augmented reality in web rtc browser
 
TP_Webots_7mai2021.pdf
TP_Webots_7mai2021.pdfTP_Webots_7mai2021.pdf
TP_Webots_7mai2021.pdf
 
426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer Tools426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer Tools
 
Neural network image recognition
Neural network image recognitionNeural network image recognition
Neural network image recognition
 
DIY: Computer Vision with GWT.
DIY: Computer Vision with GWT.DIY: Computer Vision with GWT.
DIY: Computer Vision with GWT.
 
DIY- computer vision with GWT
DIY- computer vision with GWTDIY- computer vision with GWT
DIY- computer vision with GWT
 
Hacking ingress
Hacking ingressHacking ingress
Hacking ingress
 
Analyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioAnalyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-Studio
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
.Net Gadgeteer
.Net Gadgeteer .Net Gadgeteer
.Net Gadgeteer
 
Migrating your Web app to Virtual Reality
Migrating your Web app to Virtual RealityMigrating your Web app to Virtual Reality
Migrating your Web app to Virtual Reality
 
Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...
Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...
Luca Passani - Essential Tools for Mobile-Aware Web Professionals | Codemoti...
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)
 
Final Project
Final ProjectFinal Project
Final Project
 
Better With Friends: Android+NFC+Arduino
Better With Friends: Android+NFC+ArduinoBetter With Friends: Android+NFC+Arduino
Better With Friends: Android+NFC+Arduino
 
Lecture 12 - Maps, AR_VR_aaaaHardware.pptx
Lecture 12 - Maps, AR_VR_aaaaHardware.pptxLecture 12 - Maps, AR_VR_aaaaHardware.pptx
Lecture 12 - Maps, AR_VR_aaaaHardware.pptx
 
Hacking for salone: drone races
Hacking for salone: drone racesHacking for salone: drone races
Hacking for salone: drone races
 
HTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymoreHTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymore
 
COSC 426 Lect. 3 -AR Developer Tools
COSC 426 Lect. 3 -AR Developer ToolsCOSC 426 Lect. 3 -AR Developer Tools
COSC 426 Lect. 3 -AR Developer Tools
 
a friend in need-a js indeed / Yonatan levin
a friend in need-a js indeed / Yonatan levina friend in need-a js indeed / Yonatan levin
a friend in need-a js indeed / Yonatan levin
 

Kürzlich hochgeladen

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 

Kürzlich hochgeladen (20)

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 

How I hacked the Google Daydream controller

  • 1. Rome, December 11th 2016 I am Matteo Pisani , CTO and co-founder of Remoria VR (www.remoriavr.com), a startup committed to develop input devices for mobile virtual reality. Creative, curious and inspired software developer with hacking attitude and strong disposition toward reverse-engineering. I matured several years of experience in IoT, embedded systems development and in bridging the gap between the physical reality and the digital world. E-mail: matteo.pisani@reamoriavr.com LinkedIn: https://it.linkedin.com/in/matteopisani www.remoriavr.com How I hacked the Google Daydream Controller ABOUT ABSTRACT
  • 2. Mobile virtual reality is growing rapidly. The Google Daydream platform was launched just last month and it suggested that compelling VR experiences might become widely accessible to consumers sooner than expected. Today, solutions like smartphone + headset + bluetooth controller are very appreciated by developers, media and entertainment companies, but... There's one problem: compatibility. As announced, the Daydream controller binds only with a bunch of Daydream-ready smartphones running Android 7.0 Nougat. Moreover, as reported by Clay Bavor (VP, Virtual Reality at Google), the Google Daydream "It’s not currently compatible with iOS and won’t be for several years probably.". Since I like challenges I decided to hack the Google Daydream controller using code, reverse- engineering skills and some math, to extend the compatibility also on Apple iOS devices: it was a success. Google Daydream controller works via Bluetooth LE (Low Energy) but I wasn't able to discover it in Bluetooth settings of my iPhone 5, so I used the BlueCap (github.com/troystribling/BlueCapapp) which allows to easily implement Central and Peripheral applications, serialize and deserialize messages exchanged with bluetooth devices and define reusable GATT profile definitions. ANALYSIS
  • 3. I had a look at the data available for each Service: there were known services like Device Information and Battery but I also found something intresting inside an uknown one, the FE55: As soon I explored inside the first Characteristic with the UUID 00000001-1000-1000-8000-00805f9b34fb and turning On the Notifications, BlueCap started showing BLE packets. Waving the Daydream controller in the air, I could see the incoming data changing in real-time. Same thing happened by touching the pad on top or randomly by pressing the buttons. According to Bluetoth LE standard each packet should weigh 20 bytes: 7be85b3ff13b48003bf1ffa00000000000000070 The packets anatomy revealed that they were encoded and represented into Hexadecimal notation. Behind the masked data laid the whole status of the controller, including accelerometer, gyroscope,
  • 4. magnetometer, touchpad, buttons and more. The first step was to setup a testing environment to facilitate all the debug processes. I decided to start from scratch: I developed a sandbox with Apple XCode (working on a MacBook Pro) and an iOS app (with some Objective-C) that included the CoreBluetoothCoreBluetooth.h framework (developer.apple.com/reference/corebluetooth). Thanks to this, I could establish and manage communications and data flows over Bluetooth GATT protocol. After choosing the Service FE55 and requesting notifications for the Characteristic 00000001-1000-1000- 8000-00805f9b34fb I was able to get the data output flowing through the console: Once the data was collected and opportunely decoded I decided to represent it into a 3D view. So, I migrated all the iOS native code to a Hybrid environment wrapping it all into a Cordova plugin: thanks to this process, I was able to save time and perform several optimizations. The use of JavaScript reduced the overall complexity, speeded up the experiments and allowed me to improve the data visualization embedding also thanks to the amazing A-Frame WebGL framework (aframe.io) inside a HTML5+CSS3 view. (the environment stack) ENVIRONMENT
  • 5. With the use of Blender, the open-source 3D creation suite, I was able to edit a bulky Google Daydream controller model fund on the internet, making it suitable for my purpose. After the editing, I exported it to an A-Frame compliant format (*.obj). In few lines of code, I was able to finish the whole setup and this was the result:
  • 6. Now for the hardest part: understanding the raw data. Starting from an average knowledge about Hexadecimal to Decimal conversion, I split up the 40 chars in 20 chunks of 2 chars then converted to Binary: 7b e8 5b 3f f1 3b 48 00 3b f1 ff a0 00 00 00 00 00 00 00 70 I just wanted to give it a try, so I tested an online Hexadecimal to Decimal converter and this was the output Later, I also tried the Decimal to Binary converter. Bringing everything to JavaScript var rawdata= "7be85b3ff13b48003bf1ffa00000000000000070", bitchain = ""; for(var i = 2; i <= 40; i+=2) bitchain += parseInt(rawdata.slice(i-2,i),16).toString(2); console.log(bitchain,'length: ' + bitchain.length); The output expected was 160 bits length chain (8 bits * 20 chunks) for each packet: 11110111110100010110111111111111000111101110010 00011101111110001111111111010000000000001110000 length: 94 I got only 94 instead of 160 bits expected so I realized that something was wrong. After going deep into the issue, I found that the hexadecimal values converted in bits sometimes produced results shorter than 8, in other words, were not stuffed in groups of 8: the zeropad to 8 solved all the problems. Once I addedd the zeropad method and changed the code in: REVERSING
  • 7. function zeropad(n, width, z) { z = z || '0'; n = n + ''; return n.length >= width ? n : new Array(width - n.length + 1).join(z) + n; } var rawdata= "7be85b3ff13b48003bf1ffa00000000000000070", bitchain = ""; for(var i = 2; i <= 40; i+=2) bitchain += zeropad(parseInt(rawdata.slice(i-2,i),16).toString(2),8); console.log(bitchain,'length: ' + bitchain.length); this time the expected result was correct. 0111101111101000010110110011111111110001 0011101101001000000000000011101111110001 1111111110100000000000000000000000000000 0000000000000000000000000000000001110000 length: 160 After a couple of sleepless nights I started to give a shape to this mesmerizing bitchain: a comprehensive knowledge about IMU (Inertial Measurement Unit) and MEMS (Micro Electro-Mechanical Systems) sensors paired with a great patience and good observation skills helped me to figure out the sense of what was happening. The crucial points were: observate all the oscillating bits; play a little more with offests. This allowed me to recognize, extract and categorize the values. I reported all of them below: SENSORS (12 bits for the value + 1 bit for the sign)
  • 8. var gyroscope = { x : parseInt(rawdata.slice(14,27),2), y : parseInt(rawdata.slice(27,40),2), z : parseInt(rawdata.slice(40,53),2) }; var magnetometer = { x : parseInt(rawdata.slice(53,66),2), y : parseInt(rawdata.slice(66,79),2), z : parseInt(rawdata.slice(79,92),2) }; var accelerometer = { x : parseInt(rawdata.slice(92,105),2), y : parseInt(rawdata.slice(105,118),2), z : parseInt(rawdata.slice(118,131),2) }; TOUCHPAD (8 bits for the value) var touchpad = { x : rawdata.slice(131,139), y : rawdata.slice(139,147) }; BUTTONS (1 bit for the value) var buttons = { app: rawdata.slice(147,148), home : rawdata.slice(148,149), volumeUp : rawdata.slice(149,150), volumeDown : rawdata.slice(150,151), touchClick : rawdata.slice(151,152) }; Once I achived this goal, I tried to manipulate all these data to give a coherent orientation to the 3D Google Daydream controller model, through the A-Frame canvas: unfortunately the output on the screen resulted in a tilting controller with meaningless movements.
  • 9. <a-scene> <a-camera id="camera" position="0 0 10"></a-camera> <a-sky color="#4E4E4E"></a-sky> <a-entity id="daydream" obj-loader="src: url(./DayDream_Controller.obj); mtl: url(./DayDream_Controller.mtl);" position="0 0 0" rotation="0 0 0" scale="0.1 0.1 0.1"> </a-entity> </a-scene> <script> document.querySelector('a-entity[id=daydream]'). setAttribute('rotation', GoogleDayDreamController.getZ() + ' ' + GoogleDayDreamController.getY() + ' ' + GoogleDayDreamController.getX(); </script> Reversing some of the *.apk of the Google VR Services (found inside the Google Pixel OS and that allows native communication with Google Daydream controller via BLE), I was able to get my hands on useful information. Through reverse-engineering of Android Java app using apktool, dex2jar, jd-gui to convert *.apk file to .java, it was possible to: understand how a particular UI in an App is constructed reading AndroidManifest.xml, permissions, activities, intents etc in the App discover native libraries and images used in that App find obsfucated code (Android SDK, by default, uses ProGuard tool which shrinks, optimizes, and obfuscates the code by removing unused code and renaming classes, fields, and methods with semantically obscure names). The tools I used: ApkTool (from http://code.google.com/p/android-apktool/) to extract AndroidManifest.xml and everything in res folder (layout xml files, images, htmls used on webview etc..), run the following command: apktool d sampleAndroidApp.apk TOOLS
  • 10. It also extracts the .smali file of all .class files, but which is difficult to read. Dex2jar (from http://code.google.com/p/dex2jar/) to generate .jar file from *.apk file, we need JD-GUI to view the source code from this .jar. Run the following command: dex2jar sampleAndroidApp.apk JD-GUI (from http://java.decompiler.free.fr/?q=jdgui) it decompiles the .class files (obsfucated, in case of Android app, but readable original code is obtained in case of other .jar file). i.e., we get .java back from the application. Just Run the jd-gui executables on your OS and after, File->Open to view Java code from .jar or .class file. In particular, I found interesting information inside: com.google.android.vr.home.apk com.google.vr.vrcore.apk
  • 11. Collecting all my developer-thoughts and making them fit together, I realized that the best solution was to use the AHRS (Attitude Heading Reference Systems) calculation for JavaScript (npmjs.com/package/ahrs). This calculates the attitude and heading for a device with all of the following sensors: magnetometer, gyroscope and accelerometer. The Madgwick or Mahony algorithms can be used to filter data in real time from these sensors, obtaining a great accuracy.
  • 12. <script> var AHRS = require('ahrs'); var madgwick = new AHRS({ /* * The sample interval, in Hz. */ sampleInterval: 60, /* * Choose from the `Madgwick` or `Mahony` filter. */ algorithm: 'Madgwick', /* * The filter noise value, smaller values have * smoother estimates, but have higher latency. * This only works for the `Madgwick` filter. */ beta: 0.4, /* * The filter noise values for the `Mahony` filter. */ kp: 0.5, ki: 0 }); madgwick.update(gyroscope.x, gyroscope.y, gyroscope.z, accelerometer.x, accelerometer.y, accelerometer.z, magnetometer.x, magnetometer.y, magnetometer.z); var euler = madgwick.toEulerAnglesDegree(); </script> The getEulerAnglesDegrees method returns an object with the Euler angles (heading/yaw, pitch, roll), in degrees. The return Object contains: heading is from north, going west (about z-axis). pitch is from vertical, going forward (about y-axis). roll is from vertical, going right (about x-axis). Finally, it was possible for me to set the model orientation to the right coordinates
  • 13. <script> document.querySelector('a-entity[id=daydream]') .setAttribute('rotation', euler.heading + ' ' + euler.pitch + ' ' + euler.roll ); </script> "A picture is worth a thousand words" (think of a video!). The result was brilliant: as you can see in the YouTube video below that I recorded to show the potential of the entire hack www.youtube.com/watch?v=QKNWqBFlR1M The responsiveness is extremely fluid, according to the PPS (packets per second) parameter, ~ 60 are enough to cover a VR game or a 3D experience as well. RESULT
  • 14. The scenarios that this hack opens are various. Now that the secret sauce has been exposed and the compatibility extended to iOS devices, it is possible to replicate the job to include all the desktop platforms. This would help the developers debugging their own software in a desktop environment, without passing through deploying an app on the smartphone every time. On the Android side, this hack will unleash the whole potential of the Daydream controller as it would be no longer restricted to the OS Nougat 7.0. In this perspective, it is possible to see the Daydream controller working with older versions of Android OS. On the other hand, binding this controller with open source platforms like Raspberry PI or Arduino, will extend the horizons of makers and creatives. Do you imagine using the Daydream controller to pilot your drone or your RC-car, playing a virtual drumset or maybe, making some sounds with a virtual synth? www.remoriavr.com CONCLUSION