Originally Posted by
rcoulsell
I know that this thread has been quiet for a while... I am curious if anyone has experience reading firmware for any of the wireless di2 supported devices? I have tried to no avail to decompile the code.
Trying to find the above referenced network key so I can begin analyzing the transmissions from my wireless Di2 device using my ant usb stick. I just want the ability to view this on my Samsung Android Phone, Reconjet glasses, computer screen during virtual training sessions, etc. Don't want to have to pick up a Garmin, Mio, or Shimano computer/watch to be able to do it.
Appreciate anyone's help! I have time and energy, just stuck on the decompile (tried Binwalk, played around with IDA, etc.)
The trick with ANT-Private is that it's like ANT+, with the extension of security. ANT+ is designed to be incredibly open...think TCP/IP back in the early 80s, where every member of ARPANET was trusted and everything was all kumbaya. That's the ANT+ model, because what does it matter if someone's able to interfere with your heart monitor by doing a prolonged burst send, right? But when you add features like shifting on a Shimano Di2 drivetrain, all of a sudden you've turned ANT (be it ANT+, ANT, or private-ANT) into the communications backbone of a control system. What's to keep someone from triggering a couple of upshifts for everyone around them just as the whole peloton nears the finish line? What's to keep someone from jamming all shifting? This is what private-ANT is meant to prevent...WheresWaldo's allegations aside, that this is some market-based ploy for Shimano (despite the fact that other vendors are now becoming compatible).
That said, have you done any hardware hacking? What are you trying to decompile? I would say that your best bet is to configure a shifter and then disassemble it. Use a bus-pirate to pull what you can off any microcontrollers you find (you'll probably only find one). If you've not done hardware hacking, then you'll have a bit of an uphill battle on this, since you have to learn how to research the chips you find, how to connect to whichever interface (almost certainly either SPI or I2C) they use, and so on...but if you know about IDA Pro, you definitely have a leg up on most people with regard to this.
Also, since I don't know the procedure for setting up a Di2 drivetrain, I wonder: what pairs the shifters with the derailleurs? Are they pre-paired out of the box...and if so, what's the procedure for pairing if you have to replace a broken derailleur or shifter? If you know RF hacking, then that's a bit of attack surface you can go after as well, if you can set up RFCat or get a HackRF. The benefit of this is that if you hit the jackpot by listening in on the pairing conversation (assuming it's not particularly well-encrypted...ANT+ uses only 64-bit crypto, which means it sure isn't AES since that requires a 128-bit key at a minimum) then you don't have to do destructive testing on an expensive piece of hardware.