Hacking the Girltech IM-ME USB Wireless device

The Girltech IM-ME is a basic usb radio transmiter paired with a small console like device. It was suggested to me on the TP hacking thread I posted up a while ago. Hacking the IM-ME turned out to be an easy reverse-engineer, as there is no crypto to worry about and everything is sent in cleartext hex (everything). For 12$, this makes quite a nice little wireless console device. Read on for the protocol and info on implementing your own driver im-me instant messenger device

After ordering the IM-ME as a filler item on Amazon (what won’t I do for super-saver shipping), I plugged it in to my linux box. It was recognized as a standard HID device. This is good, as Girltech obviously didn’t go to any great lengths to protect the communication coming off this thing. At this point, I could have either loaded up a windows VM with a promiscuous USB driver at the host OS level, or loaded up a windows VM with snoopypro installed. I went (as I usually do when reverse-engineering usb protocols) with snoopypro. The output driver strings are quite easy to read and patterns are colored by communication direction.

I set up a user ‘toastc2c’ with a password ‘password’. The default software install (windows only) is basically an online multiplexer. You log into their software, which syncs with their website. Each instant message is sent to the handheld with a identifier string, which is used by the device to pagify the different messages. This is great, as it’s pretty much arbitrary as to what we pipe down to the device. I figured I would need to inject some custom messages to the device (standard crypto protocol breaking stuff like huge messages and repeated characters etc) to get a handle on the communication scheme, but that wasn’t really necessary. Turns out it’s all clearhex, all the time. Either initialize with a VM and inject your own messages, or copy the init strings out of the spreadsheet I post below and init/multiplex with libusb.

Here is a spreadsheet with the initialization strings and username/password authentication. This is more than enough to write an interface driver in with libusb. I’m not sure about the DMCA implications of releasing a driver, but there’s a script out there to ease the process for you if you’re new to it. Note the device receives data in one hex byte strings which are each padded with hex 00. My username is ‘toastc2c’, which you can see is clearly transmitted and accepted by the receiving device (IM-ME usb dongle->console pairing). Happy Hacking

90 thoughts on “Hacking the Girltech IM-ME USB Wireless device

  1. I was wondering about this device too, like the freq it transfers at. But your data on it makes it even easier to use. I’m definately getting a couple but I’d have to paint it.

  2. Hey Athlor,

    Yeah, the hot pink really isn’t my style either 🙂 I’ve been meaning to get a software radio project going, if I ever get that moving I’ll get you the specs on antenna frequency, gain etc etc. In the meantime the usb driver should be enough for full usefulness. Good luck!

  3. Nice work withe IM-me.

    You using just free software to do the RE of USB protocals?

    I’m thinking of trying to see if I can get a USB Missile Launcher working under linux
    http://www.dreamcheeky.com/index.php?pagename=product&pid=41

    I know the protocol for the verson without the webcam has been reverse-engineered. I’m hopeing it’s works like the camless version with a standured webcam attached.

    Pan-Tilt webcam for $40. 🙂

    BTW: I found a site about squeezing Linux down to fit in 1M of flash. http://sites.google.com/site/bifferboard/Home/howto/faster-route-to-kernel–initrd
    It’s for a x86 board.
    And sorry it’s taking so long to write more about my Z2 project. I got distracted thinking about DTN and robot carrier pegoins. 😀

  4. Hey DrA,

    Yep, just using snoopypro (free on sourceforge) to snoop on the usb packets, virtualbox (free from sun/oracle) to run a windows virtual machine and the driver software, and openoffice spreadsheet for output.

    I’ve seen those usb missile launchers. The webcam version seems pretty cool. I used to write drivers for ccd cameras which are quite similar, I’d imagine you won’t have too much trouble with it. It’s generally send an init string, recieve the vendor ID, request a frame, receive a block size followed by the frame (unless all frames are same size, I’ve seen that too).

    You can get a pan/tilt webcam on geeks.com pretty cheap if you don’t want to roll your own, but I think the missile launcher is more fun.

    That x86 1mb linux kernel is interesting. The patchfile seems specific to x86 and the bboard they’re using, but I imagine there’s a 1mb arm kernel out there somewhere. It reminds me greatly of the ceiva linux port (http://www.heeltoe.com/software/ceiva/Ceiva-mini-HOWTO.html).

    Lol on robot carrier pigeons, I imagine you’d be using rfc1149? http://www.rfc-editor.org/rfc/rfc1149.txt

    Good Luck!

  5. Hi Hunter,

    I spotted these devices about 6 month ago. I thought about hacking them then, now you nudged my interested I have order one of these devices (£9!) with the aim of just playing with it. Ideally get some text back and forth in to a python application.

    Thanks for the spreadsheet, I think I can follow it. Alas I have no windows machine so it is very helpful.

    You mentioned “script out there to ease the process” Any other clues ?

    Any further details on the identification string I did not follow the detail.

    Thanks,
    Brendan

  6. Hi Brendan,

    No problem, happy to help out. Here’s an article on libusb (which I believe has a userspace python implementation) http://jespersaur.com/drupal/book/export/html/21 . They mention in this article the perl script I recalled, which sets up a skeleton driver for you based on sniffed traffic. I’ve not used it myself, but some have had success with it.

    You can get the ident string with a search of the usb devices with similar code to the one posted above

    
    static struct usb_device *findKeyboard(uint16_t vendor, uint16_t product)
    
    {
    
      struct usb_bus *bus;
    
      struct usb_device *dev;
    
      struct usb_bus *busses;
    
      usb_init();
    
      usb_find_busses();
    
      usb_find_devices();
    
      busses = usb_get_busses();
    
      for (bus = busses; bus; bus = bus->next)
    
        for (dev = bus->devices; dev; dev = dev->next)
    
          if ((dev->descriptor.idVendor == vendor) && (dev->descriptor.idProduct == product))
    
            return dev;
    
      return NULL;
    
    }
    
     

    This’ll be needed in addressing the device if you’re going to write a driver and not just inject packets to the device. I’m interested to hear how you end up using this device, lots of interesting use cases I’m sure. Good Luck!

  7. Pingback: Pink wireless-terminal of wonder - Hack a Day

  8. Hey bro,

    Here’s a good version of snoopypro :
    http://sourceforge.net/projects/usbsnoop/files/

    Hey Eliot,

    Without seeing the base station or snooping the traffic it’s hard to tell. With the imfree, it can multiplex up to 7 devices for one usb radio. The im-me doesn’t appear to have this ability, though I don’t have an extra one to check. If the radio protocol is well behaved (tdma style packet timing etc) they may be using the same hardware and just multiplexing the messages at the pc layer.

    Hey max,
    yeah they are quite cheap for the job they do 🙂 I’d be interested to hear what you come up with if you pick one up. GL

  9. Pingback: Pink wireless-terminal of wonder

  10. Hey Blueman,

    Sure, though you’d need to write a driver for this functionality. I’ve seen other small wireless keyboards that use standard usb keyboard HID drivers though, for about the same cost… so if that’s the use case you may be better going proprietary. On the other hand, this is a great opportunity to learn usb drivers etc. Good Luck!

  11. Hey Leigh,

    The spreadsheet I released is how one could circumvent the proprietary software with a driver. A driver would actually circumvent the proprietary software. There may actually not be an issue (other than my half-ass driver code being embarrassing), but for the time being I’m most comfortable taking you most of the way there and pointing you in the right direction. Apologies if this is frustrating. As usual I’m more than happy to answer any specific questions you had. Good Luck!

  12. Is there anyway that you could send me the driver that you have created? I have no experience whatsoever with writing drivers and I don’t even know where to start.

  13. I would freely admit that this is a great idea.

    Except for one problem, Amazon is selling them as part of a bundle deal, namely buying two devices, plus any extras, for a seperate firm.

    Can you post a link for the individual one?

  14. Hey Archer,

    Sure, if I get it cleaned up this weekend I’ll send it to you first.

    Hey GCL,

    Haven’t seen the bundle deal myself, I picked one up from amazon, looks like they may have some left. Hope you can snag one, GL

    here

  15. Pingback: The Girly, Pink Chatpad of Awesomeness | Cyrozap's Tech Projects

  16. i had contacted the original makers of the device about two years back. their name is arrayent. after explaining to them that i just wanted to reverse engineer their device for my own benefit, they emailed me full protocol specsheets, and example win32 hid code to interface with the dongle. i’ve used the device briefly back and forth, but it mostly sat after the thrill of bending its will wore off…

  17. Well I’ll be a bored Jedi Knight (and Time lord) two examples of the exact same page.

    Thank you Hunter, and you too Max.

    @Saturnnights
    Would you be interested in sharing your findings on the little devil? Or did they insist on an NDA?

  18. Did you open this little toy to see what’s inside? It would be nice to see if there is any debug COM port or something and be able to use it as a RC COM port, similar to some BT boards that cost 50+ bucks.

  19. @gcl

    they didn’t…really say anything in regards to the matter. the only hope was that whatever i was doing wouldn’t violate the sanction of a predator free communication environment. since i wasn’t using their software at all, i assured them all was good.

  20. What’s the battery time like on the console (usage, idle, charge time)?
    I see some emoticons on the girltech website, do you know if they are stored on the console or transmitted to the device?

  21. Hey Wireghoul,

    Don’t know about the battery life, still on my first set. I would be interested to know these questions as well.. I believe the emoticons are stored on the device, but as its paired with the usb before login the only emoticon I can safely say is coming from the device is the smiley face displayed on the error screen.

  22. So how hackable is the handheld IM-Me unit? Anyone cracked it open? At that price I’m fully expecting chip-under-blob packaging, cheap single-sided phenolic board and just maybe a serial programming port. Or we might get really really lucky…

  23. Hey Jonathan,

    Haven’t cracked one open myself, but you’re welcome to enter the hackaway 2009 to win one. I’d be interested to know what’s in there as well.

  24. I ordered one, the first thing I will do is open it and look for serial ports and maybe useful chips (if not covered by the evil blob).

  25. I ordered one from amazon, and just ripped open the USB dongle looking for a serial or i2c port to interface into an arduino.

    It came open easily enough — pop the snap-on cover with a knife, then remove 6 screws.

    The board itself consists of a male USB connector, two IC’s, and a few caps and SMT components. No evil blob.

    One of the two IC’s is a TI cc1110 f32 system-on-chip with a few unpopulated footprints. One of those pairs appears to be the debug port, another is for an external oscillator.

    The other is a cy7c63803 USB controller with no unpopulated headers.

    Based on what I see, the best approach might be to snoop the SPI communication between the two chips. The pin spacing on the USB controller chip is certainly wide enough to make that possible.

  26. Ok, got mine today.
    I opened the main unit, just on one side so far, and it has the TI cc1110 f32 on it, but also 5 soldering pads that can even be accessed through the battery compartment. I don’t know what they are yet, will test with the oscilloscope tonight.

  27. Hello!
    Well mine arrived yesterday. It was expected Monday. I suspect that UPS decided to deliver it early because they thought it was ordered as a gift.

    The TI series of SOC designed commo chips are an interesting ones. There are good docs on the TI site.

  28. After playing with the scope a bit, it does not seem that those connectors are COM ports, there is no signal going out. I didn’t trace to see what pins they go to though.
    BTW, I was able to measure the current draw, and at 4.4v it seems to be just 8 mA with the backlight on. Probably less than that if the power LED is removed. However, the device was in stand by, not connected to the PC, so it is possible that the radio will draw more.

  29. Hunter, can you please e-mail me your source code for the tests you did with the IM-ME? Or even make them public? Since there is no encryption circumventing, and since it is done for the purpose of compatibility with other OSes, there is no DMCA clause that would apply.

  30. I can haz im-me driver code?

    Probs best to just post it here if you’re giving it out – i have no clue how to go about making it 😛

    You could, alternatively, post a howto on making your own if you think that its risky to release code. I’m all for a howto!

    –neg

  31. Hey neg,

    That’s a good idea. I just got in the rip-roar, and it appears to be very similar to the im-me. I’ll write up a tutorial to walk you through, once I get a spot of free time 🙂

  32. I’d like to add my vote for a howto on writing a driver app for this device. I’ve had some luck reverse engineering other devices to work under Linux, but some help with this one would be most welcome. I’m planning on using it as a reminder unit by the front door, especially if I can find a way to flash the backlight remotely.

  33. Hey Caffeineated,

    Right on. I’ve got my rip-roar in, just gotta find the time to write up the driver/tutorial for it. Sounds like an interesting use case. Not sure if you can flash the backlight remotely through the existing protocol, might end up needing a physical hack for that. Should be interesting either way. Good Luck!

  34. I’d be interested in seeing your code too! I’m attempting to develop an application (not a driver) to talk to the device. I’m rather new to USB programming, and I’m getting a nice report from the device every couple of seconds or so but haven’t figured out how to send data to it just yet.

  35. I’m attempting to write a driver for it right now to initialize it. Data can be sent to the device using libusb’s usb_control_msg function.

    usb_control_msg(devh, 0x21, 0x09, 0x0200, 0, tmp, 2, 600)

  36. I managed to isolate 4 different messages (from IM-ME -> device) and it
    appears they have a checksum too :/
    I output the letter a,b,c and a sentence (i like apples) – here are the
    results:

    a = 61-> EE
    EF
    F0
    b =62 -> F1
    F2
    F3
    c =63 -> F4

    Did anyone yet succeed to send messages to the device using libusb?

  37. I managed to isolate 4 different messages (from IM-ME -> device) and it
    appears they have a checksum too :/
    I output the letter a,b,c and a sentence (i like apples) – here are the
    results:

    a = 61-> EE
    EF
    F0
    b =62 -> F1
    F2
    F3
    c =63 -> F4

    Does this perhaps ring a bell ?

    Did anyone yet succeed to send messages to the device using libusb?

  38. Okay solved the checksum mystery:
    About the Checksum / Message
    #02 is the length of the whole message (including header), -2, presumably
    excluding 0xfa, 0xfb

    #05 is the length of the message, excluding #00-#05 and the checksum
    #09 is a sequence number (it somehow gets incremented by two, but okay)

    And the checksum is calculated the following way – add up everything,
    0xfa+0xfb+…..+0x00
    and add the value 11 to it -> modulo 256 => checksum.

    Checksum: 0, bro 1

  39. Sorry I didn’t spot the activity in this thread before; I’ve got most of it working with a bit of reverse engineering (I need to get groups working). My implementation is not hugely robust, as I’ve written it as I’ve gone along, but hopefully you can make sense of it!

    You can find source code (and an app with no error handling) here – http://benryves.com/bin/im-me/im-me-2009.01.13.01.zip – Windows only, I’m afraid, but it’s written in C# so should be pretty easy to follow.

    To log into the demo program you’ll need to enter a username and password (the password is the same as your username), e.g. “steve”, “steve”. This will give you access to a friend list with two friends, Alice and Bob. Talking to any friend spits your message back to you with a time stamp.

    I’ve used a CRC32 to generate user IDs from the username; when using the normal IM-me software I assume this is your account ID (handled on their end).

    Incoming HID data is handled in “packets” (the things with a 0xFA, 0xFB prefix). Each packet has a “part x of y” field that is used to assemble them into larger “USB messages” (to distinguish them from the text messages that chatters send to eachother). From there I hope you can follow what I’ve done; I had started writing up what I’d found, but kept discovering new things and had to start from scratch so decided to keep it simple!

    I have no idea how well this will handle multiple USB adaptors in a PC or how it will handle more than one IM-me connected to an adaptor.

  40. elwing: That’s an interesting project, especially in relation to the TI watch! It’s a shame you can’t back up the original firmware (at least, I don’t think you can) but with the original protocol documented it should be relatively easy to rewrite something that works in a similar enough manner.

    The sample code I posted won’t work properly with more than one IM-me device at a time as it uses a single, global friend list for everyone. If two people connect, then one of them adds a new friend, the other person would see that person in their Who’s Online list even though they never added them as a friend. In reality the sample would need to be modified to maintain friend lists for each contact. (This is only a problem with the sample, and not the library itself).

    Oh, and I just realised that I’m still stuck in 2009. That’s what you get for uploading files at 3AM. 😛

  41. elwig,
    that’s definitely a fun project, can’t wait to see where it goes. Maybe a custom firmware is coming?

    Ben,
    Great work! What is the license on the code (gplv2?) Between your c# implementation and scott’s c implementation it sounds like we should have all alternate platforms covered 🙂 Nice website too btw, especially like the new atmega tetris project!

    /H

  42. Thanks for the comment, Hunter (and thank you for this interesting site!) I tend to favour the permissive MIT as far as licences go, but I’m generally of the impression that if I’m releasing code, feel free to do whatever you want to with it. 🙂

    I’ll continue to stick stuff in http://benryves.com/bin/im-me/ until I’ve written it up more formally. There’s a “Protocol.odt” document that I’ve stuck some information in that may be useful. There’s newer code that fixes a big bug in the way I handled incoming messages of more than one packet; I still can’t send messages of more than one packet, though. This may be due to my cack-handed attempt to use asynchronous file I/O, though.

  43. I just got my im-me in this weekend, I have written a bit of python code to interface with it, I plan to make a library so that others may play with it a bit more easily, if anyone has any more information on this device that could be helpful I would appreciate it.

  44. How hard is it to actually get this working as a wireless terminal? I am not the worlds greatest coder or even half way decent at that but would love to get one of these working on my Linux box.

  45. Hey rfxcasey,

    It’s actually very easy to get working now. Just download the new drivers from sourceforge and you should be great to go, no or absolutely limited coding necessary. Good luck!

  46. Pingback: Arrayent, Inc. Introduces the Industry’s First “Internet-Connect Your Product in a Day” Development Kit « Free Software Download

  47. Just trying to make something out of this from scratch and not sure if its my HID drivers that are acting up or if I’ve misunderstood what you are doing.

    sending as per your docs and the usb dongle pops back with so on the surface all if good. However the handheld wont see any available computers. Am I missing something here. Bytes are being sent out in sequence

  48. solved with a trawl through your dumps. Using the info from your protocol doc I get :

    FA FB 11 01 01 00 01 80 …. etc. Looking at the dump between count and ID1 there’s an 0D not mentioned anywhere. With this dropped in it all works. eg FA FB 11 01 01 *0D* 00 01 80

    Knowing the way these things go its possible whis is a different version, do you have a record of the PID and VID your unit had? Look through the source and this doent pop up so I’m also open to it being an artifact on this end.

    Delphi6 / Jedi JVCL HID and XP Pro here. And not enough coffee

  49. Delphi, right on! It’s been a quite while for me :). IF you get it working you should consider adding it to the SF implementations page. I don’t have a record of the PID/VID for my unit to my recollection, but whomever received it a couple of hackaway’s ago may be able to tell you. Regarless of coffee, sounds like an interesting implementation you’ve got brewing, pardon the pun

    good luck

  50. How do i set up a girl tech im-me with out a USB cord because i got one for my daughter at a thrift store and we can not figure it out?
    sincerely, Stephani Everett

    • Hey Stephani,

      I assume you wish to use the device as it was originally intended and not as some sort of hack. Unfortunately, that’s not an option if you are missing the usb transmitter. Your best bet would be to either buy the usb transmitter on eBay, or sell the im-me you have to someone on eBay and pick up another one. The im-me does not use wifi but actually a custom 2.4ghz radio which is paired with a transmitter (the usb cord). It is unlikely you’ll be able to get anything happening without this part. If anyone has one they’re not using, do get in touch with Stephani,

      Best of luck!
      /H

  51. why is there hightlights it does not give u any info sorry 🙁 i can use a diff website well bye wont vist ur website anymore once again sorry 🙁

    • Hey Morgan,

      Did you come into the page from a google search? Search unlimited will automatically highlight your search terms when you come in from a google search. You can get rid of this by clicking the article title you are reading.

  52. ok so i am the other girltech, no relation. but then i saw this article on using the girl-tech im me as a jammer, and i thought that was pretty sick. had no idea there was so much going on in the girltech hacking cult, but i’m uber excited to see all the cool shit that you guys have done, through this thread.

    i’ve not flashed more than an iPhone and a WRTG in my life, but I am pressed to get a radio jammer working. i’ve been googling for a couple of hours trying to figure out the technology and the precious source. Any direction you can point me in?

    I’m referring to Section 4.4 of this pretty cool read –> http://online.wsj.com/public/resources/documents/p25sec08102011.pdf

    <3 + starz …. ivy aka girltech

  53. Hey girltech (no relation),

    Have you flashed your IM-ME with the spectrum analyzer? That’d be a good first start, as it’d get you used to the flashing process and microcontroller work, and let you figure out what frequency ranges you are looking to jam. Hackaday has been solid about posting up all the hacks people have worked out for the IM-ME since I got the ball rolling. Here’s one article you may find enlightening http://hackaday.com/2010/03/17/im-me-spectrum-analyzer/

    Also how are your soldering skills? If you have a specific frequency range you’re trying to jam you may be better served just soldering together a signal jammer from the constituent parts. Ladyada did a tutorial on building one a few years back. Lots of folks around here and HD that’ll be happy to help. Best of luck!!

  54. hi hunter,

    hey thank you for your reply! that’s a great link you sent, looking at the im-me-spectrum-analyzer on hackaday I agree that’s the best place to start. What a cool use for a purple and pink kids toy. GirlTech’s design and marketing has really annoyed me throughout the years — I put up my brand about the same time they started theirs. I’ve always felt that green+pink on black and lockpicking was a better way to subvert the other girls out there into the computer and hack scene, but I am totally enamored by the hacks that ya’ll have done on this purple quote unquote girly device.

    This is going to be my first soldering project, and I will keep posted on how it goes.

    Mad love + hax on!

    GirlTech (OP = Original Princess )

  55. Hey GirlTech,

    Sorry for the belated reply, so much going on! I’m definitely looking forward to seeing what you come up with. You’ve got a lot of enthusiasm for the hack and I think that’s 90% of it. Good luck, and don’t get discouraged if you’re having trouble with soldering. That’s honestly such a small part of it and you can always make a friend who knows how to put the solder down. Just keep at it! Good luck!

  56. Pingback: OK, This is Familiar | HunterDavis.com

Leave a Reply

Your email address will not be published. Required fields are marked *