ble

87 Articles

3D Printed Goggles Let R.O.B. See Into The Bluetooth World

December 16, 2019 by 4 Comments

We admit that a hack enabling a 34-year-old video game peripheral to be controlled by a mobile app wasn’t something we were expecting to see today, but if controlling something with something else isn’t the definition of a classic hack, we don’t know what is. The folks at [Croxel Inc.] worked out a way to control R.O.B. using a phone app to demo out their expertise in building hardware and software prototypes, a service they offer at their website.

R.O.B. was a little robot with movable clamp arms bundled with the 1985 release of the NES, an effort by Nintendo of America to drive sales of the console after the gaming crash of 1983 by making it look less like a video game and more like a toy. The robot receives inputs from light sensors in its head, which would be pointed towards the TV playing one of the only two games released with support for it. [Croxel] used this to their advantage, and in order to control the robot without needing a whole NES, they fabricated a board using a BGM111 Bluetooth Low-Energy module which can receive outside inputs and translate them to the light commands the robot recognizes.

To avoid having to modify the rare toy itself and having to filter out any external light, the hack consists of a 3D printed “goggles” enclosure that fits over R.O.B.’s eyes, covering them entirely. The board is fitted inside it to shine the control light into its eyes, while also flashing “eye” indicators on the outside to give it an additional charming 80s look. The inputs, which are promptly obeyed, are then given by a phone paired to the module using a custom app skinned to look like a classic NES controller.

We’ve seen more intrusive hacks to this little robot here on Hackaday, such as this one which replaces the old sluggish motors entirely with modern servos and even plans to reconstruct it from scratch given the scarcity of the originals. It’s interesting to see the ways in which people are still hacking hardware from 35 years ago, and we’re excited to see what they’ll come up with around the 40 or 50 year marks!

[via Gizmodo, thanks Itay for the tip!]

Pulling Display Data Off Of A Fitness Tracker

October 27, 2019 by 1 Comment

[Aaron Christophel] writes in with yet another clever hack for his D6 Fitness Tracker. Using OpenOCD and Pygame, he shows how you can pull data right off the tracker’s screen and sent it to the computer.

This one appealed to us for its brevity. First [Aaron] launches the OpenOCD server which connects to the D6. Then, a short Python script connects to the server through telnet, reads the screen data, and uses a look-up table to turn the data into a duplicate display on the PC screen. If you’re more of a visual learner, there’s a demonstration video after the break.

The D6 is a popular fitness tracker that’s often re-branded and sold at a very low cost. [Aaron] is a big fan of these Nordic nRF52 powered devices, and we’ve covered some of his hacks before. If you’d like to learn more about these interesting little devices there’s quite a write-up on their inner-workings here.

Continue reading “Pulling Display Data Off Of A Fitness Tracker”

Punch Through Switches Gears, Shucks Beans

September 23, 2019 by 10 Comments

Do you own a LightBlue Bean or Bean+ from Punch Through? If you don’t have one now, you probably never will, as the company has recently announced they’re no longer selling or supporting the Bluetooth Low Energy microcontrollers. The company says that after selling more than 100,000 Bean devices, the challenge of keeping up with a constantly evolving software ecosystem became too difficult, and they are instead going to focus their efforts on advising other companies on how to best develop Bluetooth products.

Frankly, that sounds a bit like getting advice on how to build a fully armed and operational battle station from the Empire, but who are we to judge. While the Bean family of devices clearly wasn’t able to go the distance, Punch Through at least got them out the door and supported them for longer than many might have expected given the increased competition in the BLE market. It’s not hard to do the math: the LightBlue Bean retailed for around $35 USD, and today you can get a BLE-capable ESP32 for five bucks.

So what happens to all those Beans out in the wild? Normally, the parent company dropping support for a microcontroller wouldn’t be that big of a deal, but this time around we have the “Bean Loader” to contend with. This piece of software is used to push code to the device over Bluetooth, and it’s possible that the constant march of operating system upgrades (especially on mobile devices) will eventually break it. Long story short, there’s nothing to worry about in the short term. But down the road, these Beans might be baked.

Luckily, Punch Through did provide some pretty extensive documentation for the Beans. If there’s significant demand, we imagine the community will do their best to take over development of whatever ancillary software is required to keep the hardware usable for the foreseeable future. Speaking of which, the schematics and PCB layouts for both the Bean and Bean+ have been released under the Creative Commons Attribution 4.0 International license, so it’s not outside the realm of possibility that somebody else might put them back into production.

[Thanks to Chris for the tip.]

OTA Flash Tool Makes Fitness Tracker Hacking More Accessible

August 23, 2019 by 25 Comments

Over the last several months, [Aaron Christophel] has been working on creating a custom firmware for cheap fitness trackers. His current target is the “D6 Tracker” from a company called MPOW, which can be had for as little as $7 USD. The ultimate goal is to make it so anyone will be able to write their own custom firmware for this gadget using the Arduino IDE, and with the release of his new Android application that allows wirelessly flashing the device’s firmware, it seems like he’s very close to realizing that dream.

Previously, [Aaron] had to crack open the trackers and physically connect a programmer to update the firmware on the NRF52832-based devices. That might not be a big deal for the accomplished hardware hacker, but it’s a bit of a hard sell for somebody who just wants to see their own Arduino code running on it. But with this new tool, he’s made it so you can easily switch back and forth between custom and original firmware on the D6 without even having to take it off your wrist.

After the break, you can see the video that [Aaron] has put together which talks about the process of flashing a new firmware image. It’s all very straightforward: you simply pick the device from the list of detected BLE devices, the application puts the tracker into bootloader mode, and then you select the DFU file you want to flash.

There are a couple of ready-made firmwares you can put on the D6 right now, but where’s the fun in that? [Aaron] has put together a customized version of the Arduino IDE that provides everything you need to start writing and flashing your own firmware. If you’ve ever dreamed about creating a wearable device that works exactly the way you want, it’s hard to imagine a cheaper or easier way to get in on the action.

When we last heard from [Aaron] earlier this year, he was working on the IWOWN I6HRC tracker. But it looks like the availability of those devices has since dried up. So if you’re going to try your hand at hacking the MPOW D6, it might be wise to buy a few now while they’re still cheap and easy to find.

Continue reading “OTA Flash Tool Makes Fitness Tracker Hacking More Accessible”

Broken HP-48 Calculator Reborn As Bluetooth Keyboard

August 16, 2019 by 8 Comments

Considering their hardware specification, graphing calculators surely feel like an anachronism in 2019. There are plenty of apps and other software available for that nowadays, and despite all preaching by our teachers, we actually do carry calculators with us every day. On the other hand, never underestimate the power of muscle memory when using physical knobs and buttons instead of touch screen or mouse input. [epostkastl] combined the best of both worlds and turned his broken HP-48 into a Bluetooth LE keyboard to get the real feel with its emulated counterpart.

Initially implemented as USB device, [epostkastl] opted for a wireless version this time, and connected an nRF52 based Adafruit Feather board to the HP-48’s conveniently exposed button matrix pins. For the software emulation side, he uses the Emu48, an open source HP calculator emulator for Windows and Android. The great thing about Emu84 is that it supports fully customizable mappings of regular keyboard events to the emulated buttons, so you can easily map, say, the cosine button to the [C] key. The rest is straight forward: scanning the button matrix detects button presses, maps them to a key event, and sends it as a BLE HID event to the receiving side running Emu84.

As this turns [epostkastl]’s HP-48 essentially into a regular wireless keyboard in a compact package — albeit with a layout that outshines every QWERTY vs Dvorak debate. It can of course also find alternative use cases, for examples as media center remote control, or a shortcut keyboard. After all, we’ve seen the latter one built as stomp boxes and from finger training devices before, so why not a calculator?

Continue reading “Broken HP-48 Calculator Reborn As Bluetooth Keyboard”

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

August 10, 2019 by 9 Comments

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.

Neat Smart(ish) Watch Build Uses BLE

June 17, 2019 by 6 Comments

Digital watches are a pretty neat idea, and are a great way to experiment with designing and building low-power circuits. That’s what [Eric Min] did with this neat smart watch build. It’s based around an nRF52832 SoC that does all of the heavy lifting, including connecting to a smartphone to get the time when the battery is replaced. It also has a decent quantity of blinky LEDs, which is important on any project of this type.

Continue reading “Neat Smart(ish) Watch Build Uses BLE”