Reverse Engineering
Using the ScoreBuddy app we can get a general understanding about how the board works. Opening the app will connect to the board. Then we can start a match, which will enable throw notifications. Throwing darts will the be visible in the app, and after three throws, pressing the button will move to the next player.
To get more detailed information about the board, we need to interact directly with the board via bluetooth. Which can be done using bluetoothctl, hcitool, gatttool (bluez), and Wireshark
There are currently two different version of the board. The code in this repository supports both version of the board, as they are announcing the same services. For more indepth information about each version see Version 1 and Version 2
# [joofunn Dartboard]# info
# Device 5C:F8:21:8D:A7:8E (public)
# Name: joofunn Dartboard (B)
# Alias: joofunn Dartboard (B)
# Paired: no
# Trusted: no
# Blocked: no
# Connected: yes
# LegacyPairing: no
# UUID: Generic Access Profile (00001800-0000-1000-8000-00805f9b34fb)
# UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb)
# UUID: Device Information (0000180a-0000-1000-8000-00805f9b34fb)
# UUID: Battery Service (0000180f-0000-1000-8000-00805f9b34fb)
# UUID: Unknown (0000fff0-0000-1000-8000-00805f9b34fb)
# Modalias: bluetooth:v000Dp0000d0110
# RSSI: -78
# AdvertisingFlags:
Multiple services are exposed by the board
# attr handle: 0x0001, end grp handle: 0x000b uuid: 00001800-0000-1000-8000-00805f9b34fb
# attr handle: 0x000c, end grp handle: 0x000f uuid: 00001801-0000-1000-8000-00805f9b34fb
// Scoring service
# attr handle: 0x0010, end grp handle: 0x0021 uuid: 0000fff0-0000-1000-8000-00805f9b34fb
# attr handle: 0x0022, end grp handle: 0x0034 uuid: 0000180a-0000-1000-8000-00805f9b34fb
# attr handle: 0x0035, end grp handle: 0xffff uuid: 0000180f-0000-1000-8000-00805f9b34fb
fff0 is the one used for scoring, and the one to focus on
There are also many characteristics exposed by the board
# handle: 0x0002, char properties: 0x02, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb
# handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb
# handle: 0x0006, char properties: 0x0a, char value handle: 0x0007, uuid: 00002a02-0000-1000-8000-00805f9b34fb
# handle: 0x0008, char properties: 0x08, char value handle: 0x0009, uuid: 00002a03-0000-1000-8000-00805f9b34fb
# handle: 0x000a, char properties: 0x02, char value handle: 0x000b, uuid: 00002a04-0000-1000-8000-00805f9b34fb
# handle: 0x000d, char properties: 0x20, char value handle: 0x000e, uuid: 00002a05-0000-1000-8000-00805f9b34fb
// Characteristic to subscribe to throw notifications
# handle: 0x0011, char properties: 0x10, char value handle: 0x0012, uuid: 0000fff1-0000-1000-8000-00805f9b34fb
// Characteristic to control the "button"
# handle: 0x0014, char properties: 0x08, char value handle: 0x0015, uuid: 0000fff2-0000-1000-8000-00805f9b34fb
# handle: 0x0016, char properties: 0x0a, char value handle: 0x0017, uuid: 0000fff3-0000-1000-8000-00805f9b34fb
# handle: 0x0018, char properties: 0x08, char value handle: 0x0019, uuid: 0000fff4-0000-1000-8000-00805f9b34fb
# handle: 0x001a, char properties: 0x08, char value handle: 0x001b, uuid: 0000fff5-0000-1000-8000-00805f9b34fb
# handle: 0x001c, char properties: 0x10, char value handle: 0x001d, uuid: 0000fff6-0000-1000-8000-00805f9b34fb
# handle: 0x001f, char properties: 0x10, char value handle: 0x0020, uuid: 0000fff7-0000-1000-8000-00805f9b34fb
# handle: 0x0023, char properties: 0x02, char value handle: 0x0024, uuid: 00002a23-0000-1000-8000-00805f9b34fb
# handle: 0x0025, char properties: 0x02, char value handle: 0x0026, uuid: 00002a24-0000-1000-8000-00805f9b34fb
# handle: 0x0027, char properties: 0x02, char value handle: 0x0028, uuid: 00002a25-0000-1000-8000-00805f9b34fb
# handle: 0x0029, char properties: 0x02, char value handle: 0x002a, uuid: 00002a26-0000-1000-8000-00805f9b34fb
# handle: 0x002b, char properties: 0x02, char value handle: 0x002c, uuid: 00002a27-0000-1000-8000-00805f9b34fb
# handle: 0x002d, char properties: 0x02, char value handle: 0x002e, uuid: 00002a28-0000-1000-8000-00805f9b34fb
# handle: 0x002f, char properties: 0x02, char value handle: 0x0030, uuid: 00002a29-0000-1000-8000-00805f9b34fb
# handle: 0x0031, char properties: 0x02, char value handle: 0x0032, uuid: 00002a2a-0000-1000-8000-00805f9b34fb
# handle: 0x0033, char properties: 0x02, char value handle: 0x0034, uuid: 00002a50-0000-1000-8000-00805f9b34fb
# handle: 0x0036, char properties: 0x12, char value handle: 0x0037, uuid: 00002a19-0000-1000-8000-00805f9b34fb
fff1 and fff2 are the ones we are interested in, as they belong to the scoring service listed above.
To be able to get notifications for each throw the following needs to be done
- Connect to the board
- Enable listening mode (Write
0x03(high) tofff2)- This will also switch the LEDs in the button from red to green
- Writing
0x02(low) will disable the listening mode
- Subscribe to throw notifications
- Throwing darts on the board will now emit events containing binary values for score and multiplier like the following
10 01 // Single 10 05 03 // Triple five 0f 00 // Single 15 ...
Here is an example showing how to enable throw notifications using bluetoothctl, and throwing some darts. Make sure to replace <UUID> with the uuid of your board.
# Connecting
bluetoothctl
connect <UUID>
menu gatt
select-attribute /org/bluez/hci0/dev_<UUID>/service/0010/char0014
write 0x03
select-attribute /org/bluez/hci0/dev_<UUID>/service10/char0011
notify on
// Notifications should now be coming in for each dart thrown
# Disconnecting
back
disconnect
