Reverse Engineering Bluetooth Communication
This should give some ideas and hints how to decode the bluetooth protocol used by a gadget.
Improve wrinting/information. Some pictures would be really nice to illustrate the procedure.
- BLE Explorer
- BLE Monitor
- nRF Toolbox (on Play Store)
- nRF Connect
- Wireshark Network protocol analyzer
Part 1: Collecting Basic Information
By using a BLE scanner (listed above), basic information like BT MAC address, supported GATT services and ATT layer communication can already be collected.
Part 2: Sniff Original Data Packets
The most simple approach to "decode" the protocol would be sniffing packets sent by the original app. Android comes with a function to log all incoming and outgoing BT packets.
The logging process (on Android 10) requires the following steps:
- Enable developer options on your device
- Enable adb on your device
- Enable Bluetooth HCI snoop log
- Toggle Bluetooth for logging to take effect
- Use original vendor app to connect to you your device, fire some commands
- Dump BT log by
adb shell dumpsys bluetooth_manager
- Copy bugreport including BT log to PC
adb bugreportor by
adb pull data/misc/bluetooth/logs/btsnoop_hci.log
Paths can vary depending on device / android version. adb needs to run as root (
adb root) to access /data
- Find the log in the .zip package if you choose the bugreport way
Part 3: Analyze Logs, generic approach
Now that we have the log we can feed wireshark.
- Open the btsnoop_hci.log you just pulled with wireshark
- Things can be made more clear by making use of Wireshark's great filtering capabilities. For example it may be good to only check packets from smartphone to gadget at first. This can be easily achieved by adding a filter
bluetooth.dst == 78:02:xx:xx:xx:xxwith the MAC address of your gadget (which you've found earlier by using nRF).
- Now you need a starting point. If you can link one easy command with it's packet you're nearly done. You could probably use the "find-my-device" command of the original vendor that lets your gadget vibrate. By firing this command often enough you may see an abnormality in the packet log with many similar packets.
- Once found a simple command and its associated packet you can use it as "marker". Make use of the packet colorization function and set up a rule for this marker packet. (e.g.
btatt contains ab:00:00:00:01:02:07:01).
- Fire a couple marker commands, then a command you want to know the packet for and afterwards some marker commands again. By varying the amount of markers you can easily differentiate between the different unknown commands.
Once you found the first functions and its associated command bytes it makes to check the existing Gadgetbridge sources. It's really likely someone already uses this protocol (Or at least a similar version). That can make things a lot easier.
Part 4: Following the data
- In Wireshark, set a filter to
btatt, to only see the data flow and not all other stuff
- Find the place, where the phone did some action, to set something on the device (or the other way)
- Look at the
valuein the Bluetooth Attribute Protocol tree:
Bluetooth Attribute Protocol Opcode: Write Command (0x52) Handle: 0x0038 (Anhui Huami Information Technology Co., Ltd.: Unknown) Value: 06140001
- This gives you the characteristics and the data value.
Part 5: Isolate parts of the captured data
In order to analyze data capture it is useful to isolate specific portion of the snoop. Here is one of the ways to do this. Basic capturing and exporting knowledge as describe above is presumed.
- Start the app in question, connect it to your band, go to the screen where you will want to perform the action of interest, wait for all syncing to happen.
- Capture the bt_snoop, open it in wireshark, go to last line and note the line number.
- In the app, now perform the action of your interest, do only minimal actions, no screen switching etc.
- Capture the bt_snoop, open it in wireshark. Go to line number as noted in step #2. Select all lines from here down (Shift + arrow down). (You might like to first apply the
btattfilter, to only list relevant lines).
- Export only these lines via wireshark
Export specific packets→ Choose
Export as Symbian OS btsnoop,
Selected packets only
This now gives you only the performed action captured as bt_snoop. It seems, that MAC addresses are now reset to 00:00. This is not a bad thing in order to be able to share it.
- Data Backup
- Permissions Explained
- Sports Activities Workouts
- Activity Sessions List
- Activity and Sleep Charts
- Heartrate measurement
- GPS recording of sports activities
- Integrating Sports Tracking apps with Gadgetbridge Sports Activities/Workouts
- Huami devices
- MyKronoz ZeTime
- Casio devices
- Fossil Hybrid HR
- How to Release
- Developer Documentation
- BT Protocol Reverse Engineering
- Support for a new Device
- New Device Tutorial
- Translating Gadgetbridge