How to work in reverse - emulate the controllers instead of connecting to them?

[EricLauber]

I have an app I'm working on where the goal isn't to integrate with the Zwift Play controllers - instead I want to make video game controllers available to Zwift. You have a .NET c# example here of an application replicating what Zwift does to handshake and communicate with Zwift Play controllers... can we virtually replicate what the Zwift Play controllers themselves do and connect that to Zwift instead?

I have been reading through this repo, working to better understand cagnulein's QZ, and reading Makinolo's posts. I think I'm at the very beginning of starting to understand this... but barely. I could really use some help.

GPLama has a video showing the Wahoo KICKR Bike can "Direct Connect" its handlebar controller over ethernet to Zwift. Between the KICKR Bike being a controller over ethernet and QZ demonstrating that it's possible to emulate Wahoo's "Direct Connect" ethernet technology, I think we're seeing it's technically feasible to virtually implement either a Zwift Play controller or a KICKR Bike controller.

Instead of BLE Advertising I believe QZ and Zwift use mDNS to multicast their presence on the network, which enables the other host to answer the query and begin the conversation. I just got a JetBlack Victory with Wi-Fi capabilities, so I should be able to test and Wireshark-capture this with real hardware. As far as I can tell, the data packets are the same, it's just sent over Wi-Fi.

Furthermore it makes me wonder if Zwift cares if the device is Bluetooth or Wi-Fi... if Zwift is expecting specific devices over the network then this would require spoofing Wahoo KICKR, but if any compatible device is okay to "appear" over Ethernet then we could present as Zwift Play or even Zwift Ride.

Do you think you could take a stab at a .NET or C# sample that behaves like a Zwift Play controller? I don't understand this well enough to know how easy or difficult that might be.

[EricLauber]

After doing some experimenting and reviewing this source, QZ, and monitoring network traffic, I got this basic test to appear like a Wahoo KICKR over the network, in c#. Not a controller (yet) but progress in .NET.

Zwift queries for both _zap._tcp.local and _wahoo-fitness-tnp._tcp.local. I wonder if responding to zap and providing the appropriate UUIDs would at least show up on the device pairing screen.

Also of note, I now have a JetBlack Victory and it's actually answering as Victory._wahoo-fitness-tnp._tcp.local...

using Makaretu.Dns;
using System.Net;

namespace ZwiftTest
{
    public class UnitTest1
    {
        private MulticastService? _mdnsService;
        private IPAddress? _zwiftIPAddress;
        private int? _zwiftPort;

        [Fact]
        public void Test1()
        {
            RunWahooKICKRmDNS();


            Thread.Sleep(3000);
            System.Diagnostics.Debug.WriteLine($"Zwift IP Address: {_zwiftIPAddress}");
            System.Diagnostics.Debug.WriteLine($"Zwift Port: {_zwiftPort}");

            _mdnsService?.Stop();
            Assert.True(true);
        }

        private void RunWahooKICKRmDNS()
        {
            _mdnsService = new MulticastService();

            // Setup Event handlers for when the service is running.
            _mdnsService.QueryReceived += (s, e) =>
            {
                System.Diagnostics.Debug.WriteLine($"Query Received from Endpoint: {e.RemoteEndPoint.Address}");
                var names = e.Message.Questions
                    .Select(q => q.Name + " " + q.Type);

                System.Diagnostics.Debug.WriteLine("Queries received:");
                foreach (var name in names)
                    System.Diagnostics.Debug.WriteLine(name);


                foreach (var question in e.Message.Questions)
                {
                    if ((question.Name == "_wahoo-fitness-tnp._tcp.local") && (question.Type == DnsType.PTR))
                    {
                        System.Diagnostics.Debug.WriteLine($"Received query from {e.RemoteEndPoint.Address}");
                        _zwiftIPAddress = e.RemoteEndPoint.Address;
                        _zwiftPort = e.RemoteEndPoint.Port;

                        var response = new Message();
                        response.Answers.Add(new PTRRecord
                        {
                            Name = "_wahoo-fitness-tnp._tcp.local",
                            DomainName = "Wahoo KICKR 0000._wahoo-fitness-tnp._tcp.local", 
                            Class = DnsClass.IN, 
                            Type = DnsType.PTR,
                            TTL = TimeSpan.FromSeconds(3600)
                        });

                        response.Answers.Add(new SRVRecord
                        {
                            Name = "Wahoo KICKR 0000._wahoo-fitness-tnp._tcp.",
                            Target = "Wahoo KICKR 0000H.local.",
                            Port = 36866,
                            Priority = 0,
                            Weight = 0,
                            TTL = TimeSpan.FromSeconds(3600),
                        });

                        response.Answers.Add(new ARecord
                        {
                            Name = "Wahoo KICKR 0000H.local",
                            Address = e.RemoteEndPoint.Address,
                            Class = DnsClass.IN,
                            TTL = TimeSpan.FromSeconds(3600),
                        });

                        response.Answers.Add(new TXTRecord
                        {
                            Name = "Wahoo KICKR 0000._wahoo-fitness-tnp._tcp.local",
                            Type = DnsType.TXT,
                            Class = DnsClass.IN,
                            Strings = new List<string>
                            {
                                "ble-service-uuids=00001826-0000-1000-8000-00805F9B34FB,00001818-0000-1000-8000-00805F9B34FB,00001816-0000-1000-8000-00805F9B34FB",
                                "mac-address=A8:A1:59:EB:A0:41",
                                "serial-number=0"
                            },
                            TTL = TimeSpan.FromSeconds(3600)
                        });

                        _mdnsService.SendAnswer(response);
                        System.Diagnostics.Debug.WriteLine($"Responded to query from {e.RemoteEndPoint.Address}");
                    }
                }
            };
            _mdnsService.AnswerReceived += (s, e) =>
            {
                System.Diagnostics.Debug.WriteLine($"Answer Received from Endpoint: {e.RemoteEndPoint.Address}");
                var names = e.Message.Answers
                    .Select(q => q.Name + " " + q.Type)
                    .Distinct();

                System.Diagnostics.Debug.WriteLine("Answers received:");
                foreach (var name in names)
                    System.Diagnostics.Debug.WriteLine(name);
            };

            var serviceDiscovery = new ServiceDiscovery(_mdnsService);
            _mdnsService.Start();

            var wahooServiceProfile = new ServiceProfile("Wahoo KICKR 0000", "_wahoo-fitness-tnp._tcp.local", 36866);

            // Make sure this service is unique / doesn't already exist on the netowrk
            if (!serviceDiscovery.Probe(wahooServiceProfile))
            {
                serviceDiscovery.Advertise(wahooServiceProfile);
                serviceDiscovery.Announce(wahooServiceProfile);
            }
        }
    }
}

[ajchellew]

I don't really have anything to add here, other than to say my original intention was to emulate the controllers. I quickly hit a dead end, not with the ZAP part of the the Bluetooth protocol, but the standard device profile services that couldn't replace the existing ones the phone itself broadcast. (or indeed the one on the Pi I tried)

Its really interesting to apply all this over ethernet though.

[EricLauber]

Could you walk through the order or steps of what you were trying to do on mobile (I assume Android) or the Pi?

There's a lot more flexibility with mDNS and TCP traffic. I'm also hoping to find someone with a KICKR Bike because that is a known quantity that has passed Controls to Zwift through the network. It's possible that Zwift doesn't care if a device is available over Bluetooth or the network - it's also possible they only expect certain devices over the network and that an unexpected one would be ignored.

[cagnulein]

guys check this cagnulein/qdomyos-zwift#2961 (comment)
i did almost all the job already
i don't have time for explanations unfortunately, but the code is there :)

[EricLauber]

Nice! I just got a Victory and have been starting to work on it as well.

I have been spending time reading through your QZ source @cagnulein, that's part of how I was able to get C# I wrote above to work. I hadn't seen this branch, though.

Are you getting an emulated Zwift Play controller to appear through DirCon? This is from one of the earlier commits in that PR, it's not the final format.

if(u >= 1 && u <= 4) {
            this->uuid_bytes_zwift_play[DPKT_POS_SH8] = (quint8)(u >> 8);
            this->uuid_bytes_zwift_play[DPKT_POS_SH0] = (quint8)(u);
            byteout.append((char *)this->uuid_bytes_zwift_play, 16);
        } else {
            this->uuid_bytes[DPKT_POS_SH8] = (quint8)(u >> 8);
            this->uuid_bytes[DPKT_POS_SH0] = (quint8)(u);
            byteout.append((char *)this->uuid_bytes, 16);
        }

[cagnulein]

yes i'm able to emulate the custom 00001 characteristics from zwift with that code.