Deleting the wiki page 'BT Protocol Reverse Engineering' cannot be undone. Continue?
This should give some ideas and hints how to decode the bluetooth protocol used by a gadget.
Improve wrinting/information. Some pictures would be really nice to illustrate the procedure.
By using a BLE scanner (listed above), basic information like BT MAC address, supported GATT services and ATT layer communication can already be collected.
The most simple approach to "decode" the protocol would be sniffing packets sent by the original app. Android comes with a function to log all incoming and outgoing BT packets.
The logging process (on Android 10) requires the following steps:
adb shell dumpsys bluetooth_manager
adb bugreport
or by adb pull data/misc/bluetooth/logs/btsnoop_hci.log
Paths can vary depending on device / android versionNow that we have the log we can feed wireshark.
bluetooth.dst == 78:02:xx:xx:xx:xx
with the MAC address of your gadget (which you've found earlier by using nRF).btatt contains ab:00:00:00:01:02:07:01
).Once you found the first functions and its associated command bytes it makes to check the existing Gadgetbridge sources. It's really likely someone already uses this protocol (Or at least a similar version). That can make things a lot easier.
btatt
, to only see the data flow and not all other stuffhandle
and value
in the Bluetooth Attribute Protocol tree:Bluetooth Attribute Protocol
Opcode: Write Command (0x52)
Handle: 0x0038 (Anhui Huami Information Technology Co., Ltd.: Unknown)
Value: 06140001
In order to analyze data capture it is useful to isolate specific portion of the snoop. Here is one of the ways to do this. Basic capturing and exporting knowledge as describe above is presumed.
btatt
filter, to only list relevant lines).menu
→ Export specific packets
→ Choose Export as Symbian OS btsnoop
, Selected packets only
This now gives you only the performed action captured as bt_snoop. It seems, that MAC addresses are now reset to 00:00. This is not a bad thing in order to be able to share it.
General
Sports/Activities
Device Related
Development
Feature Discussion
FAQ
Deleting the wiki page 'BT Protocol Reverse Engineering' cannot be undone. Continue?