Reverse Engineering Bluetooth Communication

This should give some ideas and hints how to decode the bluetooth protocol used by a gadget.

TODO

Improve wrinting/information. Some pictures would be really nice to illustrate the procedure.

Helpful Tools

• BLE Explorer
• BLE Monitor
• nRF Toolbox (on Play Store)
• nRF Connect
• Wireshark Network protocol analyzer

Helpful articles

• https://www.instructables.com/Reading-Values-From-a-BLE-Device-Using-CSR1010-and/
• https://medium.com/@arunmag/my-journey-towards-reverse-engineering-a-smart-band-bluetooth-le-re-d1dea00e4de2
• https://reverse-engineering-ble-devices.readthedocs.io/en/latest/index.html

Part 1: Collecting Basic Information

By using a BLE scanner (listed above), basic information like BT MAC address, supported GATT services and ATT layer communication can already be collected.

Part 2: Sniff Original Data Packets

The most simple approach to "decode" the protocol would be sniffing packets sent by the original app. Android comes with a function to log all incoming and outgoing BT packets.

The logging process (on Android 10) requires the following steps:

1. Enable developer options on your device
2. Enable adb on your device
3. Enable Bluetooth HCI snoop log
4. Toggle Bluetooth for logging to take effect
5. Use original vendor app to connect to you your device, fire some commands
6. Dump BT log by adb shell dumpsys bluetooth_manager
7. Copy bugreport including BT log to PC adb bugreport or by adb pull data/misc/bluetooth/logs/btsnoop_hci.log Paths can vary depending on device / android version
8. Find the log in the .zip package if you choose the bugreport way

Part 3: Analyze Logs, generic approach

Now that we have the log we can feed wireshark.

1. Open the btsnoop_hci.log you just pulled with wireshark
2. Things can be made more clear by making use of Wireshark's great filtering capabilities. For example it may be good to only check packets from smartphone to gadget at first. This can be easily achieved by adding a filter bluetooth.dst == 78:02:xx:xx:xx:xx with the MAC address of your gadget (which you've found earlier by using nRF).
3. Now you need a starting point. If you can link one easy command with it's packet you're nearly done. You could probably use the "find-my-device" command of the original vendor that lets your gadget vibrate. By firing this command often enough you may see an abnormality in the packet log with many similar packets.
4. Once found a simple command and its associated packet you can use it as "marker". Make use of the packet colorization function and set up a rule for this marker packet. (e.g. btatt contains ab:00:00:00:01:02:07:01).
5. Fire a couple marker commands, then a command you want to know the packet for and afterwards some marker commands again. By varying the amount of markers you can easily differentiate between the different unknown commands.

Once you found the first functions and its associated command bytes it makes to check the existing Gadgetbridge sources. It's really likely someone already uses this protocol (Or at least a similar version). That can make things a lot easier.

Part 4: Following the data

1. In Wireshark, set a filter to btatt, to only see the data flow and not all other stuff
2. Find the place, where the phone did some action, to set something on the device (or the other way)
3. Look at the handle and value in the Bluetooth Attribute Protocol tree:

Bluetooth Attribute Protocol
    Opcode: Write Command (0x52)
    Handle: 0x0038 (Anhui Huami Information Technology Co., Ltd.: Unknown)
    Value: 06140001

4. This gives you the characteristics and the data value.

Part 5: Isolate parts of the captured data

In order to analyze data capture it is useful to isolate specific portion of the snoop. Here is one of the ways to do this. Basic capturing and exporting knowledge as describe above is presumed.

1. Start the app in question, connect it to your band, go to the screen where you will want to perform the action of interest, wait for all syncing to happen.
2. Capture the bt_snoop, open it in wireshark, go to last line and note the line number.
3. In the app, now perform the action of your interest, do only minimal actions, no screen switching etc.
4. Capture the bt_snoop, open it in wireshark. Go to line number as noted in step #2. Select all lines from here down (Shift + arrow down). (You might like to first apply the btatt filter, to only list relevant lines).
5. Export only these lines via wireshark menu → Export specific packets → Choose Export as Symbian OS btsnoop, Selected packets only

This now gives you only the performed action captured as bt_snoop. It seems, that MAC addresses are now reset to 00:00. This is not a bad thing in order to be able to share it.