Teardown: BilBot Bluetooth Robot

Historically, the subject of our January teardown has been a piece of high-tech holiday lighting from the clearance rack; after all, they can usually be picked up for pocket change once the trucks full of Valentine’s Day merchandise start pulling up around the back of your local Big Box retailer. But this year, we’ve got something a little different.

Today we’re looking at the BilBot Bluetooth robot, which over the holidays was being sold at Five Below for (you guessed it) just $5 USD. These were clearly something the company hoped to sell a lot of, with stacks of the little two-wheeled bots in your choice of white and yellow livery right by the front door. With wireless control from your iOS or Android device, and intriguing features like voice command, I’d be willing to bet they managed to move quite a few of these at such a low price.

For folks like us, it can be hard to wrap our minds around a product like this. It must have a Bluetooth radio, some kind of motor controller, and of course the motors and gears themselves. Yet they can sell it for the price of a budget hamburger and still turn a profit. If you wanted to pick up barebones robotics platform, with just a couple gear motors and some wheels, it would cost more than that. The economies of scale are a hell of a thing.

Which made me wonder, could hackers take advantage of this ultra-cheap robot for our own purposes? It’s pretty much a given that the software for this robot will be terrible, and that whatever control electronics live inside it will be marginal at best. But what if we write those off and just look at the BilBot as a two-wheeled platform to carry our own electronics? It’s certainly worth $5 to find out.

Getting Geared Up

So what do you get for your hard earned five spot? Upon cracking open the BilBot’s case, we see the gearbox down at the bottom, a small PCB up in the “head”, and…not a whole lot else. Of course, this shouldn’t come as much surprise. To get the cost down this far, the hardware needs to be as minimal as possible.

That said, the gearbox isn’t half bad. It’s got plastic gears of course, and with brushed motors and no encoders you won’t get any positioning feedback, but you could say the same about plenty of low-cost robotic platforms that are out there. You won’t be taking it off-road, but this setup will have no problem scooting around your workbench. Though I would suggest adding some grip to the wheels; which could be as easy as finding properly sized rubber bands to fit around them.

The BilBot’s Brain

Removing the two screws holding in the single PCB, we can get a good look at the electronics in their entirety. Originally I’d hoped to find a relatively standard Bluetooth module inside the BilBot, as we’ve seen in previous teardowns. But the Bluetooth chip used in the BilBot, a JL E90005-9BO, seems to be something of a mystery. I haven’t been able to find any mention of it in the usual places, and would be interested to hear if anyone in the audience has ever run across one in the past.

Luckily the other chip on the board, an MX1508L, is another story entirely. This is a fairly common dual H bridge DC motor driver for which the datasheet is readily available. This chip could easily be connected to your microcontroller of choice, and there’s plenty of sample code floating around online that shows how to interface with it.

One would simply need to cut the traces between the MX1508L and the Bluetooth chip, and then wire it up to their own MCU to take control of the BilBot hardware. Slapping an ESP8266 into this bot and converting it to WiFi control would be absolutely trival, and with all that empty space inside its cute little body, there’s plenty of room to add in new sensors, batteries, or whatever else you could come up with.

It’s also worth noting that the BilBot is one of the very few products I’ve seen in the FCC ID database that actually has its circuit schematics available for download. Not that it’s a particularly complex PCB, of course, but there’s no such thing as having too much information when trying to reverse engineer a gadget.

Speaking the BilBot’s Language

Obviously hardware hacking is what we’re all about here, but for the sake of argument, let’s say you wanted to take a more nuanced approach with the BilBot. As the little fellow is designed to be controlled remotely over Bluetooth, it would seem reasonable enough that we could capitalize on that feature and take command of the bot without having to crack open the case at all.

I should start by saying that I refused to actually install the BilBot’s software on any of my devices, and I would advise anyone else who might be experimenting with this bot to do the same. The application cannot be found in the Google Play Store, and instead you are expected to scan a QR code in the manual which points you to an IP address in Hangzhou where the APK can be downloaded for sideloading. Yeah, no thanks.

That said, I did download the 30 MB (!) APK on my computer and used apktool to have a look around inside. I didn’t see anything obviously nefarious, but I certainly don’t claim to be an Android security expert. It just seems exceedingly suspicious that this is how they would distribute the software for their product.

Halfhearted security analysis aside, poking around the application’s source code did give me a pretty good idea about how it works. Essentially moving the virtual joystick around or speaking voice commands into the application chains together byte sequences which eventually get fired off towards the Bilbot over a simple Bluetooth serial connection. That means writing a library to get the robot moving should be very simple, should anyone feel so inclined.

As a proof of concept, you can see here how I am able to connect (with no authentication) to the robot using bettercap, enumerate the writable Service Characteristic, and send a few bytes down the line.

The result is the bot lurching backwards an inch or so. If you were particularly bored, you could probably brute force the byte sequences like this to figure out how to control the motors, but would-be BilBot library writers will likely find that lifting them from the application is a much more efficient use of their time.

Bot on a Budget

In short, I believe the BilBot is a fantastic deal at $5. Not for its intended purpose, mind you, but as an ultra cheap robotics platform that’s just begging to get upgraded. Whether you want to write a Python library to control an army of stock BilBots, or rip its brain in half and augment it with a beefy MCU and all the trimmings, you could do worse than stocking up on these little guys.

One thing I did notice on my particular BilBot, and it could have been a fluke, is that there were no screws holding the gearbox together. So after a few seconds of driving around, the box would pop open and the gears would no longer mesh. Finding a few suitably small screws was no problem, but it does make me wonder how many of these bots were deemed DOA when they sprung a sprocket on Christmas morn.

But really, what do you expect for $5?

16 thoughts on “Teardown: BilBot Bluetooth Robot

  1. Looks like one of JieLi’s Bluetooth chips. Not too surprising; they turn up a lot in cheap consumer hardware. Some people have put a little work into experimenting with some of their other chips but I’m not sure what ths one is like.

    1. I’ve installed the app with an iPhone 6 plus. I bought one back in December, and when I went back in January to buy all the rest, they were gone. The app it self is terrible, it’s half translated and doesn’t work as smoothly as you’d think. BUT… it is a $5 bluetooth robot, so I don’t expect much. I wanted an army of these buggers so when I saw this article I thought to myself “Troy! Someone is halfway there!”

      So since then I’ve installed a Windows 10 app called Bluetooth LE Explorer. This app has allowed me to send hex commands to the bot and get it to jerk forward. Trying to figure out what to actually send to the bot without having to decompile the Android app and re-write it from scratch.

  2. Glad someone did a break down. Nice. thx. 5$ I can use for couple ESP-M2 instead. Took y’all couple months tho. Same plastic frame getting extended use in several variants. Out of stock local. Guess I should have grabbed in November but not curious now.

  3. I’m a bit disappointed they didn’t increase the width of the final gear in the gearbox. Adding rubber to the wheels to get more traction would only result in stripping the teeth from that last gear.

  4. The way they talk about the mystery chip and off-store obfuscated Chinese apps show they’re clearly new to the China market..

    By the way the app still has to be signed with the store root unless they request you turn off trusted sources. It probably even has a store listing once you install it.. I side load signed apps on Go 10. No matter the apk source if it’s obfuscated Play Protect(even with “A.I.”) isn’t going to detect behavior if they check for sensor feedback before performing actions; malware gets by Play Protect every day…

    This hardware is boring it’s basically a BT controlled roller with no sensors or advanced firmware..

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.