Reverse engineering the BT communication for the Medtronic Guardian Continous Glucose Monitoring Systems and Insulin Pumps. This work originally started on the Guardian 4 Sensor, but now the insulin pumps are also being researched. Check the discord for more info! https://discord.gg/tb4egy8VYh (no Medtronic spies please)
- Jadx_Projects:
- it contains the JADX projects to reverse engineer the APK contents
- OpenGuardian4
-
the Java code for parsing and decoding already decrypted BT messages.
-
this is intended to be used in an Android app hopefully in the forseable future
-
limited support for UUIDs, but can also parse some Guardian 4 messages
-
the "4" will be dropped from the name and support will be added for Guardian 3, and the Pumps
-
- Sake_RE
- Sakeproxy
- an Android application which uses the prebuilt SAKE libraries extracted from the original APKs
- it provides a simple HTTP API and it can be used to perform the crypto functions without an actual device
- only a temporary solution until we can fully reverse enginer the crypto library, but will be very useful for development
- also I am planning on hosting some kind of development server for other people to talk with their devices
- Data
- decrypted SAKE "key databases"
- logs from the Monitor script
- UUID information
- sniffed BT traffic in pcap format
- TODO: document everything, maybe create a wiki on github
- Scripts
- various scripts to be used with frida (including the Monitor)
- TODO: go trough the old backups and upload everything
- Tools
- log_decrypt
- the app contains functionality to dump decrypted logs into a zip file for debugging with Medtronic's email support (???)
- the algorithm has been reversed, after manually patching the public key in the APK, it can be decrypted and will contain juicy info for reversing
- db_decrypt
- scripts to dump the AndroidKeyStore, where the keys are stored for the app's databases
- minimal API for CareLink Cloud
- I have reversed the API where the data upload/download takes place
- the code now has been integrated in some open-source projects, this is just a mirror (see carelink-python-client, xDripCareLinkFollower)
- other scripts used for dev
- TODO: sort out scripts used for MITM
- log_decrypt
- get the Guardian apk here: https://m.apkpure.com/guardian%E2%84%A2/com.medtronic.diabetes.guardian/download (md5sum of the original file: 865d1872c197c073830c02416d63f294)
- place it in the project's root folder under the name "Guardian_134.apk"
- get jadx from here: https://github.com/skylot/jadx/releases
- open the project
- start reversing: you will mostly need just two buttons: X for references, N for rename, and also the search menu
- just search for classes > ConverterMap
or from sketch:
- look for a uuid string of a gatt service (for example "00000202-0000-1000-0000-009132591325".
- there should be 1/2 results, check the call for the super
- look for an injection of a class into an interface, thats the target class
- right click on the class > find usage, and find a class which maps other classes, starting with Void, String, Byte[] to other random classes
- those are the conveters and the target classes that we are interested in
Usage:
- get a rooted android phone
- download frida server (https://frida.re/docs/android)
- connect to adb via usb & install frida on your phone
- start your frida server as root on the device
- edit the beginning of the monitor.js script to select your app version
frida -U -f com.medtronic.diabetes.guardian -l guardianmon.js(you can stack additional scripts to bypass the security checks like:-l bypass_developer.js)- save the output to a txt file and use OpenGuardian to parse them
- If the app is patched it will NOT be able to receive the SAKE keys, because PlayIntegrity will detect it but MITM is still possible for login and the "Teneo secure communications" (after some Frida scripts)