Blog: Android
Messing around with dildos. How to drive a vibrator with RealTerm
Seeing as how we’ve been researching internet and app enabled toys we thought that the world of adult toys could do with some of our special attention.
We acquired a set of premium cyberdildonic sex toys (that’s an actual word apparently) that allow someone else to “drive” them for you. Here’s what we found…
Getting started
Once logged in to the application, the user is given the option to add a ‘toy’.
This searched for Bluetooth devices in pairing mode and will add the device once it’s found. Even though the user is never asked for a PIN, the application is gracious enough to tell us that the devices have a hardcoded PIN of ‘0000’ as shown below:
Instead of using the ‘Body Chat’ application, we decided to connect to the device.
The ‘toys’ had device names of LVS-A002 and LVS-B002. These devices both went in to pairing mode when turned on (if you’ll pardon the pun).
A connection was made as shown below:
Once connected, the device was seen as having a standard serial port:
RealTerm was used to connect to the device which received several ‘OK’ messages whilst cycling through the vibration settings:
The application’s source code was trawled for the commands that were being sent to the devices, which revealed the following:
| Command | Function |
| DeviceType; | Returns the name, status and MAC of the device. For example: ToyA:2:78a5047b6a03; |
| Battery; | Returns the battery level. |
| PowerOff; | Powers off the device. |
| Status:”1″ | Returns the status of the device as an integer. 2 was the normal value. |
| Vibrate:”1″ | This started the devices vibrating. The value passed was the intensity. |
| StartMove:”1″ | The function of this was not fully understood. When this command was sent to the device a string of hex values was returned until the StopMove command was issued. The units were capable of timing vibrations based on music and it is thought that this command may be used in that function. |
| StopMove:”1″ | This stopped the output of the StartMove command. |
| Rotate:”1″ | This activated the rotational movement of the ‘Nora’ unit. |
| RotateChange; | This changed the direction of the rotational movement from clockwise to counter clockwise or vice versa. |
| Air:Level:1; | This set the level of air in the inner balloons of the ‘Max’ unit. |
| Air:In:1; | This inflated the inner balloons by an amount dictated by the passed parameter. |
| Air:Out:1; | This let air out of the inner balloons of the ‘Max’ unit. |
Below is an example of the output of the StartMove command:
An attempt was made to discover any hidden functionality such as debugging or developer options, however none were found.
What next?
Over the next weeks we’ll be reverse engineering the app itself and looking in more detail at the protocols used.
