A Crash Course On Sniffing Bluetooth Low Energy

Bluetooth Low Energy (BLE) is everywhere these days. If you fire up a scanner on your phone and walk around the neighborhood, we’d be willing to bet you’d pick up dozens if not hundreds of devices. By extension, from fitness bands to light bulbs, it’s equally likely that you’re going to want to talk to some of these BLE gadgets at some point. But how?

Well, watching this three part video series from [Stuart Patterson] would be a good start. He covers how to get a cheap nRF52480 BLE dongle configured for sniffing, pulling the packets out of the air with Wireshark, and perhaps most crucially, how to duplicate the commands coming from a device’s companion application on the ESP32.

Testing out the sniffed commands.

The first video in the series is focused on getting a Windows box setup for BLE sniffing, so readers who aren’t currently living under Microsoft’s boot heel may want to skip ahead to the second installment. That’s where things really start heating up, as [Stuart] demonstrates how you can intercept commands being sent to the target device.

It’s worth noting that little attempt is made to actually decode what the commands mean. In this particular application, it’s enough to simply replay the commands using the ESP32’s BLE hardware, which is explained in the third video. Obviously this technique might not work on more advanced devices, but it should still give you a solid base to work from.

In the end, [Stuart] takes an LED lamp that could only be controlled with a smartphone application and turns it into something he can talk to on his own terms. Once the ESP32 can send commands to the lamp, it only takes a bit more code to spin up a web interface or REST API so you can control the device from your computer or other gadget on the network. While naturally the finer points will differ, this same overall workflow should allow you to get control of whatever BLE gizmo you’ve got your eye on.

15 thoughts on “A Crash Course On Sniffing Bluetooth Low Energy

  1. Fantastic tutorial. I’ve been down this road before a couple of years ago reverse engineering a product for a client (previous R&D engineer left no documentation).

    Creating an A/D-to-BLE that would have the lamp react to music would be cool.

    1. Also, there are BLE compatible Star Wars ‘droids that are controllable w/ BLE. They are mobile and have sound/visual reactions based on BLE commands sent to them. I reversed engineered one of them back in early 2020 (bought it at the Disney World Galaxy’s Edge exhibition) and had it singing and “dancing” using BLE techniques similar to what you present here in your fantastic set of tutorials.

  2. Hmmm, just this week I downloaded Wireshark (on da Linux) and played around with it, but not for any particular reason.
    Was cool to see the exchanges between a client and wifi router.

  3. Definitely going to watch this. I bought a BT LE sniffer thing from Adafruit a while ago trying to sniff signals between a BB8 and my phone. Their learning guide walked through sniffing an RGB LED lamp’s commands but I never really got anywhere with my BB8. Maybe this series will help. Thanks!

  4. Shameless plug here.

    I built a web page server for RasPi that allows the user to interactively explore the BLE landscape using a browser. The interface is ‘sorta like the file manager, in that it lists all the BLE devices, and you can open them like directories to see the services, open the services to see characteristics, and so on.

    If the characteristic is known or in a known format (vendor ID, serial number, &c), it will format and show the values as well.

    Useful as a first step in BLE reverse engineering, to find the device address and list of services/characteristics to explore.

    Unfortunately, my javascript/web-fu is weak, and I stopped after the reading/showing characteristics step. Link below for anyone who wants to use it. I have a design in mind for managing the r/w attributes and tabulating/showing old values so you can write characteristics and see what changed, but it’s starting to hard press my HTML/javascript ability to show it.

    (Would anyone conversant in javascript and html like to join me in this endeavor? I can readily code or fix the BLE interface as needed, but formatting the HTML results in javascript is difficult at my level of experience. With a collaborator, we could knock out a full project in a week or two and release it open source for others to use. Ask to join the project, or contact me on .IO (link in title) to discuss.)

    https://github.com/ToolChainGang/BLEServer

  5. For anyone interested in this protocol be aware different mobile phones work differently. Something went wrong with this standard (too complex?) and there is not agreement on how this is supposed to work. I tried this my self and about 50% phones fail to connect to my raspi. Also a friend of mine has a ethanol unit in his car which connects via bluetooth LE. It works only on some phones.

  6. This is so exciting! What a great post! I want to use BLE for indoor/outdoor positioning and this looks very applicable. It’s too bad that the startups/companies that were selling small BLE stickers seem to have dried up. I found out recently that Apple is planning to release Appletags which I think are going to use UHB, and BLE. It would be nice to be able to weave several systems together like wifi and ble to get super accurate positioning. Maybe some of this stuff is the beginning of this.

  7. It would be interesting to sniff some BLE “smart home” devices like the newer Philips Hue bulbs and decode the commands.

    Example bulb link here: https://www.philips-hue.com/en-us/p/hue-white-and-color-ambiance-2-pack-br30-e26/046677548582#specifications

    The following article says the bulbs use BLE not older bluetooth.

    https://www.androidpolice.com/2019/06/27/philips-introduces-new-bluetooth-hue-bulbs-that-work-without-a-hub/#:~:text=Unlike%20traditional%20Hue%20Bulbs%20that,phones%20but%20also%20smart%20speakers.

    1. You can probably skip the sniffer if the app is on an android phone: you can probably enable developer mode on the phone, enable HCI snoop log, use the app, pull the logs with `adb bugreport`, extract the packet dump from the log in that with `btsnooz.py`, and open that with wireshark

      Though those dongles are very cool, and are an extremely powerful BT dev platform

      Also if the gadget uses a standard BLE protocol like GATT, you can probably just figure it out with an app like nrf connect or lightblue

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.