ble

82 Articles

Diagram from the blog post, showing how GATT communication capture works

Hacking BLE To Liberate Your Exercise Equipment

January 4, 2024 by 17 Comments

It’s a story we’ve heard many times before: if you want to get your data from the Domyos EL500 elliptical trainer, you need to use a proprietary smartphone application that talks to the device over Bluetooth Low-Energy (BLE). To add insult to injury, the only way to the software will export your workout information is by producing a JPG image of a graph. This just won’t do, so [Juan Carlos Jiménez] gives us yet another extensive write-up, which provides an excellent introduction to practical BLE hacking.

He walks us through BLE GATT (Generic Attribute Profile), the most common way such devices work, different stages of the connection process, and the tools you can use for sniffing an active connection. Then [Juan] shows us a few captured messages, how to figure out packet types, and moves into the tastiest part — using an ESP32 to man-in-the-middle (MITM) the connection.

Continue reading “Hacking BLE To Liberate Your Exercise Equipment”

Bluetooth As Proxy For Occupancy

December 13, 2023 by 59 Comments

During [Matt]’s first year of college, he found in a roundabout way that he could avoid crowds in the dining hall by accessing publicly available occupancy data that the dining hall collected. Presumably this was data for the dining hall to use internally, but with the right API calls anyone could use the information to figure out the best times to eat. But when the dining hall switched providers, this information feed disappeared. Instead of resigning himself to live in a world without real-time data on the state of the dining hall, he recreated the way the original provider counted occupancy: by using Bluetooth as a proxy for occupancy.

Bluetooth devices like smartphones, fitness sensors, and other peripherals often send out advertising packets into the aether, to alert other devices to their presence and help initiate connections between devices. By sniffing these advertising packets, it’s possible to get a rough estimate of the number of people in one particular place, assuming most people in the area will be carrying a smartphone or something of that nature. [Matt]’s Bluetooth-sniffing device is based on the ESP32 set up to simply count the number of unique devices it finds. He had some trouble with large crowds, though, as the first ESP32 device he chose didn’t have enough RAM to store more than a few hundred IDs and would crash once the memory filled. Switching to a more robust module seems to have solved that issue, and with a few rounds of testing he has a workable prototype that can run for long periods and log at least as many Bluetooth devices passing by as there are within its range.

While [Matt] hasn’t deployed this to the dining hall yet, with this framework in place most of the work has been done that, at least in theory, one of these modules could be easily placed anywhere someone was interested in collecting occupancy data. He has plans to submit his project to the university, to research the topic further, and potentially sell these to businesses interested in that kind of data. This isn’t an idea limited to the ESP32, either. We’ve seen similar projects built using the Raspberry Pi’s wireless capabilities that perform similar tasks as this one.

Thanks to [Adrian] for the tip!

Reverse Engineering Reveals Hidden API In Abandonware Trail Camera

July 18, 2023 by 12 Comments

It sometimes seems like there are two kinds of cheap hardware devices: those dependent on proprietary software that is no longer available and those that are equally dependent but haven’t been abandoned just quite yet. But rest assured, abandonment is always on the table, and until then, you get to deal with poorly written apps that often suffer from a crippling lack of essential functionality.

Such was the case for the wireless game camera that [Chris Jones] scored on the cheap, but rather than suffering with the original software, he decided to reverse engineer the camera and turn it into something more useful. The eBay description was promising — Bluetooth LE! WiFi! — but the reality proved less so. To save the batteries, WiFi is off by default and can only be turned on by connecting to the camera via BLE using a janky and crash-prone Android app.

[Chris]’ first step in reverse engineering the camera was to snoop into the BLE by capturing the Bluetooth packets to a file and running them through Wireshark. This revealed a write command with the text “BT_KEY_ON” — very promising. After verifying that this command turned on the camera’s access point, [Chris] got to work capturing WiFi packets using PCAPDroid and analyzing the results, again with Wireshark. Using every function available in the OEM app eventually revealed the full API on the camera, which gives file system control, access to individual images, and even putting the camera into live video mode.

Continue reading “Reverse Engineering Reveals Hidden API In Abandonware Trail Camera”

What’s Black, White, And Red On 20 Sides?

May 22, 2023 by 11 Comments

You won’t need to pack a full set of dice for your next game with this DIY Multifunctional Eink Gadget. [Sasa Karanović] brings us a fun device that combines a few essential aspects of tabletop gaming, D6, D12, and D20 dice rolling and a hero dashboard. While they have grand plans for a BLE networked future application, we admire the restraint to complete a V1 project before allowing scope-creep to run amok. Well played!

For this project, [Sasa] realized it needed to be battery powered and just choosing the right display for a battery powered application can be daunting. Even if you aren’t building this project, the video after the break includes a nice intro to electronic ink and low power microcontrollers for the uninitiated. We even see a graph of the completed board’s power draw from the button wake up, display refresh, and low power sleep. The project has some neat tips for building interaction into case design with the use of the display and a flexible bezel as integrated buttons. Continue reading “What’s Black, White, And Red On 20 Sides?”

The BLE Datalogging Scale Of A Thousand Uses

March 29, 2023 by 7 Comments

Whether you’re making coffee or beer or complex chemicals, weighing your ingredients carefully and tracking them is key to getting good results. [Tech Dregs] decided to build a logging scale that would work seamlessly with his smartphone, and shared the design on YouTube.

The design begins with a Greater Goods manual electronic scale, which was chosen for its convenient design and 750 gram load cell. Once cracked open, [Tech Dregs] pulled out the original PCB to replace it with his own. Only the original buttons are used, with an Seed Xiao ESP32-C3 replacing the scale’s original brains. The original LCD screen was swapped out for an OLED display, and it also got a rechargeable lithium battery for better usability.

The real value of the project, though, is its communication capability. It’s able to talk to an Android smartphone over Bluetooth Low Energy. Thanks to a custom app, [Tech Dregs] is able to log weight readings from the scale over time and even graph them live on the smartphone. As a demonstration, the scale is used to log the weight of a cup as it fills with a shot of coffee, which should serve [Tech Dregs] well in his coffee automation projects.

We’ve seen bathroom scales hacked before, too, with similar connectivity upgrades.

Continue reading “The BLE Datalogging Scale Of A Thousand Uses”

Security Vulnerabilities In Modern Cars Somehow Not Surprising

March 2, 2023 by 16 Comments

As the saying goes, there’s no lock that can’t be picked, much like there’s no networked computer that can’t be accessed. It’s usually a continual arms race between attackers and defenders — but for some modern passenger vehicles, which are essentially highly mobile computers now, the defenders seem to be asleep at the wheel. The computing systems that control these cars can be relatively easy to break into thanks to manufacturers’ insistence on using wireless technology to unlock or activate them.

This particular vulnerability involves the use of a piece of software called gattacker which exploits vulnerabilities in Bluetooth Low Energy (BLE), a common protocol not only for IoT devices but also to interface a driver’s smartphone or other wireless key with the vehicle’s security system. By using a man-in-the-middle attack the protocol between the phone and the car can be duplicated and the doors unlocked. Not only that, but this can be done without being physically close to the car as long as a network of some sort is available.

[Kevin2600] successfully performed these attacks on a Tesla Model 3 and a few other vehicles using the seven-year-old gattacker software and methods first discovered by security researcher [Martin Herfurt]. Some other vehicles seem to have patched these vulnerabilities as well, and [Kevin2600] didn’t have universal success with every vehicle, but it does remind us of some other vehicle-based attacks we’ve seen before.

Using GitHub Actions To Brew Coffee

December 10, 2022 by 27 Comments

It’s getting harder and harder to think of a modern premium-level appliance that doesn’t come with some level of Internet connectivity. These days it seems all but the cheapest refrigerators, air purifiers, and microwaves include wireless capabilities — unfortunately they’re often poorly implemented or behind a proprietary system. [Matt] recently purchased a high-end coffee maker with Bluetooth functionality which turned out to be nearly useless, and set to work reverse-engineering his coffee maker and adapting it to work by sending commands from GitHub.

Since the wireless connectivity and app for this coffee maker was so buggy and unreliable, [Matt] first needed to get deep into the weeds on Bluetooth Low Energy (BTLE). After sniffing traffic and identifying the coffee maker, he set about building an interface for it in Rust. Once he is able to send commands to it, the next step was to integrate it with GitHub, so that filing issues on the GitHub interface sends the commands from a nearby computer over Bluetooth to the coffee maker, with much more reliability than the coffee maker came with originally.

Using [Matt]’s methods, anyone stuck with one of these coffee makers, a Delonghi Dinamica Plus, should be able to reactivate the use of its wireless functionality. While we’d hope that anyone selling a premium product like this would take a tiny amount of time and make sure that the extra features actually work, this low bar seems to be oddly common for companies to surmount. But it’s not required to pick up an expensive machine like this just to remotely brew a cup of coffee. You can do that pretty easily with a non-luxury coffee maker and some basic wireless hardware.