3

Long Description:

I have a DJI Osmo Mobile 3 gimbal with Bluetooth 5.0, which supports ActiveTrack 3.0 technology. It connects to your phone via Bluetooth and using the DJI Mimo app you can select an object and track it.

I want to implement this technique in Python using OpenCV.

As I understood, the phone calculates position of the object using computer vision and then sends the coordinates via Bluetooth to the gimbal, which then follows them. I connected to the gimbal with NRF Connect app for android and looked for its services and characteristics, and this is what I found:

Services

Some unknown information getting sent

UPD: looks like the 4 bytes after 57 on the picture mean the joystick values. Fisrt 2 are responsible for left-right tilt, the other ones indicate up-down state. Looks like all of them can be max. 256, but I don't understand, why do they need 2 bytes for each action?

First 2 Bytes:
d2, 03 (210, 3) - full right
c2, fb (194 251) - full left

Last 2 Bytes:
5a, 04 (90, 4) - full up
a6, fc (166, 252) - full down

HID Control, which doesn't return any information

The characteristic with UUID

0xFFF5

Looks like what I need, but now I need to find out, in which format the coordinates are getting sent. For this purpose I want do simulate same BLE services as on the gimbal and let the phone think it is a real one. After the connection it should send data to some of the characteristics. So now the main question.

Main question:

How to emulate BLE Services and their Characteristics using Android, RPI, ESP32 or whatever to get data being sent to those characteristics? Is there any app, library or piece of code for such purpose?

I've seen dongles like CC2045, which are designed to work on 2.4GHz frequencies and sniff BLE Traffic, but it will take for a long time for them to arrive to me. Also nRF52840 based donglas are not an option right now. So I want to implement it using things I have. Is it possible? Thanks!

Christoph Rackwitz
  • 11,317
  • 4
  • 27
  • 36
XazkerBoy
  • 133
  • 7
  • 1
    UPD: looks like the 4 bytes after 57 on "unknown information" pucture mean the joystick values. Fisrt 2 are responsible for left-right tilt, the other ones indicate up-down state. Looks like all of them can be max. 256, but I don't understand, why do they need 2 bytes for each action? First 2 Bytes: d2, 03 (210, 3) - full right c2, fb (194 251) - full left Last 2 Bytes: 5a, 04 (90, 4) - full up a6, fc (166, 252) - full down – XazkerBoy Nov 26 '20 at 17:02
  • 1
    Have you tried just sending data to the device yourself? If your findings are correct you should be able to move the gimbal – Michael Kotzjan Nov 27 '20 at 05:44
  • 1
    @M.Kotzjan the problem is I dont know, in which format to send the data. x1-x2-y1-y2 or x-y, maybe there are also move values before and after the coordinates. This is why I want to sniff the data and get its structure. But still, I'll try guessing manually. Thanks – XazkerBoy Nov 27 '20 at 06:53
  • 1
    Without a BLE sniffer this would of course be only trial and error. Maybe the usage of a BLE MitM framework like btlejuice could be an option but I never tried it with BLE 5.0 and the setup was not that simple. I used a notebook and a RPI but installing required quite specific versions of nodejs – Michael Kotzjan Nov 27 '20 at 07:17
  • 1
    Did you already try to capture a "Bluetooth Snoop Log" directly on the Android device? I believe this can be parsed with Wireshark. See https://medium.com/propeller-health-tech-blog/bluetooth-le-packet-capture-on-android-a2109439b2a1 for an example. – Florian Echtler May 24 '23 at 08:02

0 Answers0