Datasets
Models
Diff of
/doc/emotiv_protocol.asciidoc
[000000]
..
[a32498]
Switch to unified view
| a | b/doc/emotiv_protocol.asciidoc | ||
|---|---|---|---|
| 1 | = Emotiv EEG Protocol Documentation |
||
| 2 | |||
| 3 | By Daeken, Eguru, qDot |
||
| 4 | Version 1.0, 2012-05-26 |
||
| 5 | |||
| 6 | == Introduction |
||
| 7 | |||
| 8 | This document gives an overview of the communications and obfuscation |
||
| 9 | mechanisms for the Emotiv EEG Headset. It covers the raw data |
||
| 10 | transmission protocols, as well as the techniques used to lock down |
||
| 11 | the system. |
||
| 12 | |||
| 13 | This document does not cover the inner working of any of the Emotiv |
||
| 14 | SDK or Suites used on top of the raw data. It exists mainly for those |
||
| 15 | interested in doing research with raw wave processing software such as |
||
| 16 | OpenVibe and BrainBay. |
||
| 17 | |||
| 18 | == Communications Mechanisms |
||
| 19 | |||
| 20 | The Emotiv EEG communicates via a proprietary wireless protocol to a |
||
| 21 | USB dongle hooked to the host computer. The USB dongle identifies as a |
||
| 22 | USB HID device, emitting 32-byte reports at a rate of 128hz when the |
||
| 23 | headset is on and in range. No data is ever written to the dongle or |
||
| 24 | head, only read from them. |
||
| 25 | |||
| 26 | Each report contains the following information: |
||
| 27 | |||
| 28 | * Packet Counter |
||
| 29 | * Battery Level |
||
| 30 | * Contact Quality |
||
| 31 | * Contact Sensor Readings |
||
| 32 | * Gyro Sensor Readings |
||
| 33 | |||
| 34 | == Cryptography |
||
| 35 | |||
| 36 | === Information and History |
||
| 37 | |||
| 38 | To ensure that raw data is only read by those that have paid for the |
||
| 39 | raw data license, each USB dongle encrypts incoming wireless data via |
||
| 40 | AES against a key composed of the Serial Number (relayed in the USB |
||
| 41 | feature report descriptor for the HID endpoint) of the dongle before |
||
| 42 | emitting it as an HID report. It is assumed that data coming to the |
||
| 43 | dongle from the wireless protocol is unencrypted, and all encryption |
||
| 44 | happens on the dongle. |
||
| 45 | |||
| 46 | While one would figure that dongles would have unique serials, this |
||
| 47 | was not necessarily the case for the first year or so of emotiv |
||
| 48 | development, and cracked decryption keys could be passed around as |
||
| 49 | long as serials for USB dongles matched. However, later headsets now |
||
| 50 | have unique serials per USB dongle. |
||
| 51 | |||
| 52 | Initial key extraction techniques can be found at "Announcement.md" |
||
| 53 | documentation in the emokit repository. |
||
| 54 | |||
| 55 | === Key Strategy |
||
| 56 | |||
| 57 | To create a 128-bit key to decrypt incoming data from the usb dongle, |
||
| 58 | we first need to request a feature report from the device that |
||
| 59 | contains whether the device is a consumer or research headset. This |
||
| 60 | fact changes the makeup of the key. |
||
| 61 | |||
| 62 | Serial numbers are fetched via the feature report for the HID |
||
| 63 | endpoint. Serial numbers are 16 byte strings of the format: |
||
| 64 | |||
| 65 | ------- |
||
| 66 | SNXXXXXXXXXXYYYY |
||
| 67 | ------- |
||
| 68 | |||
| 69 | Where Xs and Ys are usually numbers. The last 4 characters of the |
||
| 70 | serial number are what are used to create the key. It's interesting to |
||
| 71 | note that sometimes serials have dates embedded in them, i.e. |
||
| 72 | |||
| 73 | ------- |
||
| 74 | SN20120526998912 |
||
| 75 | ------- |
||
| 76 | |||
| 77 | The date is probably the day the usb dongle was flashed. |
||
| 78 | |||
| 79 | For the research headset, the key is composed of the following values: |
||
| 80 | |||
| 81 | ------- |
||
| 82 | [15] 0x00 [14] 0x54 [13] 0x10 [12] 0x42 [15] 0x00 [14] 0x48 [13] 0x00 [12] 0x50 |
||
| 83 | ------- |
||
| 84 | |||
| 85 | For the consumer headset, the key is composed of the following values: |
||
| 86 | |||
| 87 | ------- |
||
| 88 | [15] 0x00 [14] 0x48 [13] 0x00 [12] 0x54 [15] 0x10 [14] 0x42 [13] 0x00 [12] 0x50 |
||
| 89 | ------- |
||
| 90 | |||
| 91 | Where the numbers in brackets are indexes of the serial string |
||
| 92 | retrieved from the USB feature report descriptor. So for instance, if |
||
| 93 | a serial number for a consumer headset is |
||
| 94 | |||
| 95 | ------- |
||
| 96 | SN20120526998912 |
||
| 97 | ------- |
||
| 98 | |||
| 99 | The characters we're interested in are the last 4: |
||
| 100 | |||
| 101 | ------- |
||
| 102 | 8 [0x38] 9 [0x39] 1 [0x31] 2 [0x32] |
||
| 103 | ------- |
||
| 104 | |||
| 105 | Then the resulting crypto key will be |
||
| 106 | |||
| 107 | ------- |
||
| 108 | 0x32 0x00 0x31 0x48 0x39 0x00 0x38 0x54 0x32 0x10 0x31 0x42 0x39 0x00 0x38 0x50 |
||
| 109 | ------- |
||
| 110 | |||
| 111 | == Packet Analysis |
||
| 112 | |||
| 113 | 32-byte packets are received from the USB device at 128hz. Update |
||
| 114 | rates within that packet are: |
||
| 115 | |||
| 116 | * Sensor Data - 128hz |
||
| 117 | * Gyro Data - 128hz |
||
| 118 | * Battery - 1hz |
||
| 119 | * Sensor Quality - 1hz-16hz (Depending on sensor) |
||
| 120 | |||
| 121 | === Packet Layout |
||
| 122 | |||
| 123 | An Overview of the 256-bit Packet Layout: |
||
| 124 | |||
| 125 | |============================= |
||
| 126 | | Bit Indexes | Used for |
||
| 127 | | 0:7 | Counter/Battery |
||
| 128 | | 8:21 | F3 Data |
||
| 129 | | 22:35 | FC5 Data |
||
| 130 | | 36:49 | AF3 Data |
||
| 131 | | 50:63 | F7 Data |
||
| 132 | | 64:77 | T7 Data |
||
| 133 | | 78:91 | P7 Data |
||
| 134 | | 92:105 | O1 Data |
||
| 135 | | 107:120 | Connection Quality (Rotating) |
||
| 136 | | 121:133 | ? |
||
| 137 | | 134:147 | O2 Data |
||
| 138 | | 148:161 | P8 Data |
||
| 139 | | 162:175 | T8 Data |
||
| 140 | | 176:189 | F8 Data |
||
| 141 | | 190:203 | AF4 Data |
||
| 142 | | 204:217 | FC6 Data |
||
| 143 | | 218:231 | F4 Data |
||
| 144 | | 233:239 | Gyro X |
||
| 145 | | 240:247 | Gyro Y |
||
| 146 | | 248:255 | ? |
||
| 147 | |============================= |
||
| 148 | |||
| 149 | === Counter and Battery |
||
| 150 | |||
| 151 | The first byte of each packet can denote one of two things: the packet |
||
| 152 | count, or the battery power level. |
||
| 153 | |||
| 154 | Packet count makes up the lower 7 bits of the first byte. If the |
||
| 155 | highest bit is a 1, then the battery level is being relayed. This |
||
| 156 | happens once per second. |
||
| 157 | |||
| 158 | Packet count goes from 0-127, then transmits a battery power packet, |
||
| 159 | then wraps back to 0. This can be used to detect dropped packets. The |
||
| 160 | battery power packet will always have the highest bit set to 1. |
||
| 161 | |||
| 162 | Battery count is read via this table: |
||
| 163 | |||
| 164 | |============================ |
||
| 165 | | Value | Battery Level (%) |
||
| 166 | | >= 248 | ~100 |
||
| 167 | | 247 | 99.93 |
||
| 168 | | 246 | 97.02 |
||
| 169 | | 245 | 93.40 |
||
| 170 | | 244 | 89.45 |
||
| 171 | | 243 | 85.23 |
||
| 172 | | 242 | 81.89 |
||
| 173 | | 241 | 76.77 |
||
| 174 | | 240 | 71.54 |
||
| 175 | | 239 | 66.59 |
||
| 176 | | 238 | 61.92 |
||
| 177 | | 237 | 55.37 |
||
| 178 | | 236 | 45.93 |
||
| 179 | | 235 | 32.34 |
||
| 180 | | 234 | 20.43 |
||
| 181 | | 233 | 12.37 |
||
| 182 | | 232 | 5.08 |
||
| 183 | | 231 | 3.63 |
||
| 184 | | 230 | 2.80 |
||
| 185 | | 229 | 2.05 |
||
| 186 | | 228 | 1.42 |
||
| 187 | | 227 | 0.88 |
||
| 188 | | 226 | 0.42 |
||
| 189 | | 225 | 0 |
||
| 190 | | < 225 | ~0 |
||
| 191 | |============================ |
||
| 192 | |||
| 193 | === Contact Readings |
||
| 194 | |||
| 195 | Readings from the contacts are available as 14 bit values, with each |
||
| 196 | sensor sending at 128hz. The values are interspered throughout the |
||
| 197 | packet. See the Packet Layout section for which sensors are covered by |
||
| 198 | each bit range. |
||
| 199 | |||
| 200 | === Contact Quality |
||
| 201 | |||
| 202 | Contact quality consists of 14 bits, and refers to the contact quality |
||
| 203 | of the sensor as an amplitude of its calibration signal. The sensor |
||
| 204 | context of the field changes based on the value of the packet counter |
||
| 205 | in the first byte. For instance, a counter value of 1 means the packet |
||
| 206 | is showing the quality for sensor FC5, while a counter value of 2 |
||
| 207 | means that the packet is showing the quality for sensor AF3, and |
||
| 208 | so on. |
||
| 209 | |||
| 210 | The following list shows the order that the sensors are listed in, in |
||
| 211 | relation to the counter, starting with counter = 0. |
||
| 212 | |||
| 213 | |============================ |
||
| 214 | | Counter Index | Contact |
||
| 215 | | 0 | F3 |
||
| 216 | | 1 | FC5 |
||
| 217 | | 2 | AF3 |
||
| 218 | | 3 | F7 |
||
| 219 | | 4 | T7 |
||
| 220 | | 5 | P7 |
||
| 221 | | 6 | O1 |
||
| 222 | | 7 | O2 |
||
| 223 | | 8 | P8 |
||
| 224 | | 9 | T8 |
||
| 225 | | 10 | F8 |
||
| 226 | | 11 | AF4 |
||
| 227 | | 12 | FC6 |
||
| 228 | | 13 | F4 |
||
| 229 | | 14 | F8 |
||
| 230 | | 15 | AF4 |
||
| 231 | | 16-63 | Unknown? |
||
| 232 | | 64 | F3 |
||
| 233 | | 65 | FC5 |
||
| 234 | | 66 | AF3 |
||
| 235 | | 67 | F7 |
||
| 236 | | 68 | T7 |
||
| 237 | | 69 | P7 |
||
| 238 | | 70 | O1 |
||
| 239 | | 71 | O2 |
||
| 240 | | 72 | P8 |
||
| 241 | | 73 | T8 |
||
| 242 | | 74 | F8 |
||
| 243 | | 75 | AF4 |
||
| 244 | | 76 | FC6 |
||
| 245 | | 77 | F4 |
||
| 246 | | 78 | F8 |
||
| 247 | | 79 | AF4 |
||
| 248 | | 80 | FC6 |
||
| 249 | | .. | 77-80 Pattern repeats until counter hits 127 |
||
| 250 | |============================ |
||
| 251 | |||
| 252 | To get a useful reading, divide each readout by ~540. A value of |
||
| 253 | 0.8-1.0 means a "good" contact. |
||
| 254 | |||
| 255 | === Gyros |
||
| 256 | |||
| 257 | Gyro readings are available for 2 axes (head turned left/right and |
||
| 258 | foreward/back). These are 8-bit values that update at a rate of 128hz, |
||
| 259 | with 7-bits of resolution on either side of the median point for the |
||
| 260 | turn. |