ble

87 Articles

A Crash Course On Sniffing Bluetooth Low Energy

March 23, 2021 by 26 Comments

Bluetooth Low Energy (BLE) is everywhere these days. If you fire up a scanner on your phone and walk around the neighborhood, we’d be willing to bet you’d pick up dozens if not hundreds of devices. By extension, from fitness bands to light bulbs, it’s equally likely that you’re going to want to talk to some of these BLE gadgets at some point. But how?

Well, watching this three part video series from [Stuart Patterson] would be a good start. He covers how to get a cheap nRF52480 BLE dongle configured for sniffing, pulling the packets out of the air with Wireshark, and perhaps most crucially, how to duplicate the commands coming from a device’s companion application on the ESP32.

Testing out the sniffed commands.

The first video in the series is focused on getting a Windows box setup for BLE sniffing, so readers who aren’t currently living under Microsoft’s boot heel may want to skip ahead to the second installment. That’s where things really start heating up, as [Stuart] demonstrates how you can intercept commands being sent to the target device.

It’s worth noting that little attempt is made to actually decode what the commands mean. In this particular application, it’s enough to simply replay the commands using the ESP32’s BLE hardware, which is explained in the third video. Obviously this technique might not work on more advanced devices, but it should still give you a solid base to work from.

In the end, [Stuart] takes an LED lamp that could only be controlled with a smartphone application and turns it into something he can talk to on his own terms. Once the ESP32 can send commands to the lamp, it only takes a bit more code to spin up a web interface or REST API so you can control the device from your computer or other gadget on the network. While naturally the finer points will differ, this same overall workflow should allow you to get control of whatever BLE gizmo you’ve got your eye on.

Continue reading “A Crash Course On Sniffing Bluetooth Low Energy”

NRF52 Weather Station Gives Forecast With Style

March 11, 2021 by 9 Comments

We’re no strangers to DIY environmental monitors around these parts, in fact, it seems like that’s one of the most common projects hackers take on when confronted with the power of a modern Internet-connected microcontroller. But among such projects, this miniature nRF52-based weather station built by [Andrew Lamchenko] is among the most polished we’ve seen.

Externally, this looks as though it could easily be a commercial product. The graphical interface on the ePaper display is very well designed, delivering plenty of data while still looking attractive enough to hang in the kitchen. The enclosure is 3D printed, but [Andrew] poured enough elbow grease into sanding and polishing the front that you might not realize it at first glance.

Internally it uses the popular BME280 sensor to detect temperature, humidity, and barometric pressure, though the custom PCB is also compatible with the similar SI7021 and HTU21D sensors if you want to switch things up.

That said, you really want the ability to measure pressure, as it allows the firmware to do its own basic weather forecasting. All the collected data is beamed out over Bluetooth Low Energy (BLE), where it can be collected by the open source MySensors IoT framework, but we imagine it wouldn’t take much work to integrate it into your home automation system of choice.

As excited as we might be about the prospect of repurposing things such as electronic shelf labels, we’re happy to see the prices for general purpose electronic paper screens finally dropping to the point where projects of this caliber are within the means of the hacker crowd.

Continue reading “NRF52 Weather Station Gives Forecast With Style”

Cycling Cadence Display With ESP32

March 2, 2021 by 9 Comments

Terry Pratchett once said “Wisdom comes from experience. Experience is often a result of lack of wisdom.” This is as true with technical skills as it is with the rest of life, and you won’t truly understand a specific topic unless you’ve struggled with it a bit. [publidave] wanted a simple wireless display for a bluetooth cycling cadence sensor, and soon found himself deep down the rabbit hole of Micropython and Bluetooth Low Energy on the ESP32.

[publidave] had converted his bicycle for indoor training during lockdown and winter, and realized he can’t use the guided training app and view his cadence simultaneously, so he needed a dedicated cadence display. Since [publidave] was comfortable with Python, he decided to give Micropython on the ESP32 ago. Bluetooth Low Energy can be rather confusing if you haven’t implemented it before, especially if good examples are hard to come by. In short, the ESP32 needs to find the sensor, connect to it, select the right service, and listen for the notifications containing the data. The data is then converted to RPM and displayed on a small OLED display. [publidave] does an excellent job of describing what exactly he did, highlighting the problems he encountered, and how he solved them.

In the end, he had a functional display, a good idea of what he would do differently next time, and a lot of additional knowledge and understanding. In our book that’s a successful project.

Since so much of the health related devices work with Bluetooth Low Energy, it could be handy to know the technology and how to interface with it. It would allow you to do things like unbrick a $2000 exercise bike,

Custom Firmware For Cheap Bluetooth Thermometers

November 17, 2020 by 52 Comments

The Xiaomi LYWSD03MMC temperature and humidity sensor is ridiculously cheap. If you’re buying a few at a time, you can expect to pay as little as $5 USD a pop for these handy Bluetooth Low Energy environmental sensors. Unfortunately, that low price tag comes with a bit of a catch: you can only read the data with the official Xiaomi smartphone application or by linking it to one of the company’s smart home hubs. Or at least, that used to be the case.

Over the past year, [Aaron Christophel] has been working on a replacement firmware for these Xiomi sensors that unlocks the data so you can use it however you see fit. In addition, it allows the user to tweak various features and settings that were previously unavailable. For example, you can disable the little ASCII-art smiley face that usually shows on the LCD to indicate the relative comfort level of the room.

The new firmware publishes the temperature, humidity, and battery level every minute through a BLE advertisement broadcast. In other words, that means client devices can read data from the sensor without having to be paired. Scraping this data is quite simple, and the GitHub page includes a breakdown of what each byte in the broadcast message means. Avoiding direct connections not only makes it easier to quickly read the values from multiple thermometers, but should keep the device’s CR2032 battery going for longer.

But perhaps the most impressive part of this project is how you get the custom firmware installed. You don’t need to crack the case or solder up a programmer. Just load the flasher page on a computer and browser combo that supports Web Bluetooth (a smartphone is probably the best bet), point it to the MAC address of the thermometer you want to flash, and hit the button. [Aaron] is no stranger to developing user-friendly OTA installers for his firmware projects, but even for him, it’s quite impressive.

Continue reading “Custom Firmware For Cheap Bluetooth Thermometers”

Page-Turning Pedal Is Pretty Boss

October 16, 2020 by 2 Comments

Buying things to make your life easier certainly has its therapeutic joys, but if you really wanna feel good, you gotta make the thing yourself whenever possible. [Bjørn Brandal] happened to have a two-switch BOSS pedal just lying around, so it made sense to turn it into a wireless page turner for reading sheet music.

As [Bjørn] says, the circuit is simple — just two 1/4″ TRS jacks and an ItsyBitsy nRF52840 Express. The jacks are used to connect to the pedal outputs to the ItsyBitsy, which sends keystrokes over BLE.

The cool thing about this pedal is that it can work with a bunch of programs, like forScore, Abelton Live, Garage Band, and more. The different modes are accessed by holding down both pedals, and there’s confirmation via blinking LED and buzzing buzzer.

Our favorite part has to be the DIY light guide [Bjørn] that bends the ItsyBitsy’s RGB LED 90° and points it out the front of the enclosure. Nicely done!

Don’t play anything but the computer keyboard? Put those feet to work with shortcuts behind giant arcade buttons.

A Deep Dive Into The Sterzo Steering Plate

September 11, 2020 by 15 Comments

Pedaling in place isn’t the most exciting pastime, so it’s no surprise that modern technology is being used to make the in-home biking experience a bit more interactive. With a stand on the rear wheel providing resistance, and a movable steering plate under the front to read the handlebar angle, you can now use your standard bike as the “controller” in a virtual environment provided by software such as Zwift.

Paving the way towards a DIY Sterzo clone

[Keith Wakeham] wanted to take a closer look at how Zwift communicated with his Sterzo steering device, and it turned into a pretty epic bout of exploration and reverse engineering. As the video after the break shows, he didn’t just go from sniffing the device’s proprietary Bluetooth Low Energy (BLE) communications protocol to figuring out how to emulate it in software so you could roll your own Zwift peripheral. He also tore the device apart, pulled the firmware from its microcontroller, and postulated how you could build your own low-cost clone device that would work with the existing software.

Even if you have absolutely zero interest in virtual biking, the video [Keith] has put together for this project is really a must watch. Have you ever wanted to sniff and reverse engineer BLE communications? Looking for a real-world example of pulling the firmware off of a consumer device? Maybe in the market for some tips on how to identify unknown ICs on a board? All of that, and quite a bit more, is covered in this nearly hour long hacking tour de force.

On the other hand, if you are interested in adding your own hardware to Zwift, then this look at getting an unsupported stationary bike working with it should be useful.

Continue reading “A Deep Dive Into The Sterzo Steering Plate”

This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes

August 21, 2020 by 4 Comments

One of the fun things about vulnerability research is that there are so many places for bugs to hide. Modern devices have multiple processors, bits of radio hardware, and millions of lines of code. When [Veronica Kovah] of Dark Mentor LLC decided to start vulnerability research on the Bluetooth Low Energy protocol, she opted to target the link layer itself, rather than the code stack running as part of the main OS. What’s interesting is that the link layer has to process data before any authentication is performed, so if a vulnerability is found here, it’s guaranteed to be pre-authentication. Also of interest, many different devices are likely to share the same BLE chipset, meaning these vulnerabilities will show up on many different devices. [Veronica] shares some great info on how to get started, as well as the details on the vulnerabilities she found, in the PDF whitepaper. (Just a quick note, this link isn’t to the raw PDF, but pulls up a GitHub PDF viewer.) There is also a video presentation of the findings, if that’s more your speed.

The first vuln we’ll look at is CVE-2019-15948, which affects a handful of Texas Instruments BT/BLE chips. The problem is in how BLE advertisement packets are handled. An advertisement packet should always contain a data length of at least six bytes, which is reserved for the sending device address. Part of the packet parsing process is to subtract six from the packet length and do a memcpy using that value as the length. A malicious packet can have a length of less than six, and the result is that the copy length integer underflows, becoming a large value, and overwriting the current stack. To actually turn this into an exploit, a pair of data packets are sent repeatedly, to put malicious code in the place where program execution will jump to.

The second vulnerability of note, CVE-2020-15531 targets a Silicon Labs BLE chip, and uses malformed extended advertisement packets to trigger a buffer overflow. Specifically, the sent message is longer than the specification says it should be. Rather than drop this malformed message, the chip’s firmware processes it, which triggers a buffer overflow. Going a step further, this chip has non-volatile firmware, and it’s possible to modify that firmware permanently. [Veronica] points out that even embedded chips like these should have some sort of secure boot implementation, to prevent these sort of persistent attacks.
Continue reading “This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes”