Help understanding GT06 protocol

Thomas O6 years ago

Hi everyone,
While doing some research about my recently-acquired chinese GPS tracker, I've stumbled across this forum and believe you'll be able to help me a bit.
Long-story short: I'm trying the DIY version of a pet GPS tracker to fit on my cat from times to times. My initial guess was to look at Tinyduino/Arduino-like boards but overall they are too big and I don't have any experience in design PCBs... so I ended up on AliExpress and bought this ZX612 device from "Topin", which has been covered a bit already on this thread as well as this one.

Initially, this stuff uploads data to a very ugly, chinese-owned online service called 365gps. My ultimate goal is to have a small Python Flask server running on my own server at home, and have a very simplistic design relying on Gmaps or OpenStreetMap API, with a Python backend to communicate with the GPS.

The seller provided me with a documentation that is very highly similar to one posted here already, with a little more packets described, but most new ones are useless for my case. I've spent the whole afternoon yesterday re-writing that doc into a list of packets with their bit structure.

Now, here's where I get stuck: my understanding is that all packets exchanged are sent over TCP. So I set up a Wireshark/tcpdump instance on a Raspberry at home, listening on a specific port (redirected to him on my router) and then turned on the GPS, sent him an SMS to set up the upload server to my IP and port, and waited. I've captured a bunch of packets... but am absolutely unable to identify anything that is part of the protocol documentation.

I've registered on the Traccar demo server and can confirm that the GPS is actually transmitting, and is positioned properly, so Traccar server is able to decrypt what it's sending. I've also looked extensively at the GT06 protocol-related sources on Github, mostly the GT06ProtocolDecoder.java sources which I believe should be basically a way to understand how these TCP packets should be interpreted... but unfortunately my Java is extremely rusty and I can't make sense of it for now.

Overall, my approach of redirecting to a server of my own and making sense of incoming packets feels like a good way to understand how pakets are wrapped. I'm not sure though what the "first packet received" would be, my intuition would point towards the 0x01 login instruction but you never know. For instance, following is the raw content of a PCAP capture with 3 packets exchanged (3 initiated by the GPS and 3 answers from my server, although they are irrelevant because not implementing the protocol so far).

d4c3 b2a1 0200 0400 0000 0000 0000 0000
0000 0400 0100 0000 f22c d35b 7093 0100
4e00 0000 4e00 0000 0011 320c 5185 f4ca
e54b 866c 0800 4500 0040 f9a2 4000 7706
4446 25ab dc7d c0a8 02fe 8e94 138e 004c
2df4 0000 0000 b002 3520 5bb5 0000 0204
0514 0103 0300 0101 0402 0101 080a 0000
0f9a 0000 0000 f22c d35b bc93 0100 3600
0000 3600 0000 f4ca e54b 866c 0011 320c
5185 0800 4500 0028 0000 4000 4006 7501
c0a8 02fe 25ab dc7d 138e 8e94 0000 0000
004c 2df5 5014 0000 199e 0000 6d2d d35b
2efe 0000 4e00 0000 4e00 0000 0011 320c
5185 f4ca e54b 866c 0800 4500 0040 f9ac
4000 7806 62a1 25ad bd16 c0a8 02fe 6784
138e 0247 ea6c 0000 0000 b002 3520 7bba
0000 0204 0514 0103 0300 0101 0402 0101
080a 0000 7796 0000 0000 6d2d d35b 87fe
0000 3600 0000 3600 0000 f4ca e54b 866c
0011 320c 5185 0800 4500 0028 0000 4000
4006 9466 c0a8 02fe 25ad bd16 138e 6784
0000 0000 0247 ea6d 5014 0000 a19f 0000
e92d d35b e5b8 0000 4e00 0000 4e00 0000
0011 320c 5185 f4ca e54b 866c 0800 4500
0040 f9ad 4000 7706 a4a3 25ab 7c15 c0a8
02fe 05dc 138e 0448 c37c 0000 0000 b002
3520 da4c 0000 0204 0514 0103 0300 0101
0402 0101 080a 0000 e09e 0000 0000 e92d
d35b 39b9 0000 3600 0000 3600 0000 f4ca
e54b 866c 0011 320c 5185 0800 4500 0028
0000 4000 4006 d569 c0a8 02fe 25ab 7c15
138e 05dc 0000 0000 0448 c37d 5014 0000
693a 0000 

(just put this in a text file, save as capture.pcap and open with Wireshark for instance)

Any help appreciated to help me make sense of this and understand where I'm failing at identifying data according to the GT06 protocol :-)
Thomas

Thomas O6 years ago

Hey again,
I'm bumping this thread because I've made progress in understanding what's happening with my device. So, in TracCar logs, I have :

2018-11-02 16:43:49  INFO: [132e2dc1: 5023 < 37.169.190.207] HEX: 78780d010359339075016807420d0a
2018-11-02 16:43:49  INFO: [132e2dc1: 5023 > 37.169.190.207] HEX: 7878050101683ec30d0a```
Which I interpret as :
1) Device send 0x01 packet as: 7878 (start) 0d (length) 01 (type) 0359339075016807 (IMEI) 42 (Software Version or whatever) 0d0a (stop)
2) Server responds 0x01 packet as: 7878 (start) 05 (length) 01 (type / accepts login from device) 01683ec3 (????) 0d0a (stop)

However I don't really make sens of that response: According to the docs I've come across, it should rather be: 7878 01 01 0d0a
Or am I getting something wrong ?

It's all done [here](https://github.com/traccar/traccar/blob/b10824bb5769c4abb93e3451673b88efdfb9d467/src/org/traccar/protocol/Gt06ProtocolDecoder.java#L405) apparently but I don't understand what this "index" is that is passed to sendResponse, and I don't know how exactly that response is put together.

Thanks !
Pari Hasani6 years ago

Hi Thomas,
I have the same problem, did you find a solution?

Thomas O6 years ago

Hi Pari,

Yes and no. I did manage to get packet exchange working to some extent, but I still get fairly inaccurate locations and some (0, 0) lat and long values. I believe they get triggered by some incorrect packets being sent sometimes because they never appear on the (poorly designed) chinese UI that this GPS is pre-programmed to send data to.
A lot of developments I did are available on my github: https://github.com/tobadia/petGPS