Poking Around The Wide World Of Bluetooth

Bluetooth is a technology with a very interesting history. When it first came around in the late 1990s, it promised to replace the mess of wires that was tucked behind every desk of the day. Unfortunately, the capabilities of early Bluetooth didn’t live up to the hype, and it never quite took off. It wasn’t until the rise of the smartphone more than a decade later that Bluetooth, now several versions more advanced, really started to make sense.

As [Larry Bank] explains in a recent blog post, that means there’s a whole lot to learn if you want to really understand Bluetooth hacking. For example, the Bluetooth versions that were used in the 1990s and 2000s are actually a completely different protocol from that which most modern devices are using. But the original protocol, now referred to as “Classic”, is still supported and in use.

That means to really get your head wrapped around working with Bluetooth, you need to learn about the different versions and all the tools and tricks associated with them. To that end, [Larry] does a great job of breaking down the primary versions of Bluetooth and the sort of tools you might find yourself using. That includes microcontrollers such as the ESP32 or Arduino Nano 33 BLE.

But the post isn’t just theory. [Larry] also goes over a few real-world projects of his that utilize Bluetooth, such as getting a portable printer working with his Arduino, or figuring out how to use those tiny mobile phone game controllers for his own purposes. Even if you don’t have these same devices, there’s a good chance that the methods used and lessons learned will apply to whatever Bluetooth gadgets you’ve got your eye on.

Readers may recall [Larry] from our previous coverage of his exploits, such as his efforts to increase the frame rate of the SSD1306 OLED display or his wireless bootloader for the SMART Response XE. Whenever we see his name pop up in the Tip Line, we know a fascinating hardware deep dive isn’t far behind.

3D Printed Goggles Let R.O.B. See Into The Bluetooth World

We admit that a hack enabling a 34-year-old video game peripheral to be controlled by a mobile app wasn’t something we were expecting to see today, but if controlling something with something else isn’t the definition of a classic hack, we don’t know what is. The folks at [Croxel Inc.] worked out a way to control R.O.B. using a phone app to demo out their expertise in building hardware and software prototypes, a service they offer at their website.

R.O.B. was a little robot with movable clamp arms bundled with the 1985 release of the NES, an effort by Nintendo of America to drive sales of the console after the gaming crash of 1983 by making it look less like a video game and more like a toy. The robot receives inputs from light sensors in its head, which would be pointed towards the TV playing one of the only two games released with support for it. [Croxel] used this to their advantage, and in order to control the robot without needing a whole NES, they fabricated a board using a BGM111 Bluetooth Low-Energy module which can receive outside inputs and translate them to the light commands the robot recognizes.

To avoid having to modify the rare toy itself and having to filter out any external light, the hack consists of a 3D printed “goggles” enclosure that fits over R.O.B.’s eyes, covering them entirely. The board is fitted inside it to shine the control light into its eyes, while also flashing “eye” indicators on the outside to give it an additional charming 80s look. The inputs, which are promptly obeyed, are then given by a phone paired to the module using a custom app skinned to look like a classic NES controller.

We’ve seen more intrusive hacks to this little robot here on Hackaday, such as this one which replaces the old sluggish motors entirely with modern servos and even plans to reconstruct it from scratch given the scarcity of the originals. It’s interesting to see the ways in which people are still hacking hardware from 35 years ago, and we’re excited to see what they’ll come up with around the 40 or 50 year marks!

[via Gizmodo, thanks Itay for the tip!]

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.

Open Hardware E-Ink Display Just Needs An Idea

Its taken awhile, but thanks to devices like the Amazon Kindle, the cost of e-ink displays are finally at the point where mere mortals such as us can actually start using them in our projects. Now we’ve just got to figure out how to utilize them properly. Sure you can just hook up an e-ink display to a Raspberry Pi to get started, but to truly realize the potential of the technology, you need hardware designed with it in mind.

To that end, [Mahesh Venkitachalam] has created Papyr, an open hardware wireless display built with the energy efficiency of e-ink in mind. This means not only offering support for low-energy communication protocols like BLE and Zigbee, but keeping the firmware as concise as possible. According to the documentation, the end result is that Papyr only draws 22 uA in its idle state.

So what do you do with this energy-sipping Bluetooth e-ink gadget? Well, that part is up to you. The obvious application is signage, but unless you’re operating a particularly well organized hackerspace, you probably don’t need wireless dynamic labels on your part bins (though please let us know if you actually do). More likely, you’d use Papyr as a general purpose display, showing sensor data or the status of your 3D printer.

The 1.54 inch 200×200 resolution e-ink panel is capable of showing red in addition to the standard grayscale, and the whole thing is powered by a Nordic nRF52840 SoC. Everything’s provided for you to build your own, but if you’d rather jump right in and get experimenting, you can buy the assembled version for $39 USD on Tindie.

Scratch Built Smartwatch Looks Pretty Darn Sharp With 3D Printed Case And Round LCD

These days, if you want a smart watch, you’re spoiled for choice. The major smartphone players all have devices on the market, and there’s plenty of third party manufacturers vying for your dollar, too. You might think it’s impossible achieve the same finish with a 3D printer and a reflow oven, but you’re wrong. [Samson March] didn’t quite fancy something off the shelf, though, and instead build an amazing smartwatch of his own.

The beautiful case is printed in a woodfilled PLA — consisting of 70% plastic and 30% sawdust. This allows it to be sanded and stained for an attractive final product. Printing artifacts actually add to the look here, creating somewhat of a woodgrain effect. There’s a round LCD for a more classical watch look, which displays various graphics and even contact photos for incoming messages. Like most smartwatches on the market, it uses Bluetooth Low Energy for communication, and has a rechargeable lithium battery inside. Estimated battery life is approximately one week, depending on the frequency of use, and the recharging base he fabricated is as beautiful as the watch itself.

It’s a tidy build that shows off [Samson]’s design skills, and files are available on GitHub if you’d like to make your own. Laying out the full design in Fusion 360 prior to the build enabled the watch to be optimized for size constraints, creating an attractive and comfortable piece. With that said, if you’re a fan of a more hardcore electronic aesthetic, perhaps something 8-bit might be more your speed.

[via reddit, thanks to Aliasmk for the tip!]

It’s Curtains For Blu Chip

In theory, there is no reason you can’t automate things all over your house. However — unless you live alone — you need to consider that most people won’t accept your kludgy looking circuits on a breadboard hanging everywhere. Lighting has become easy now that there are a lot of commercial options. However, there are still plenty of things that cry for automation. For [jeevanAnga], the curtains were crying out for remote control.

Since cellphones are ubiquitous, it makes sense to use the phone as a controller and BlueTooth Low Energy (BLE) is perfect for this kind of application. But you can’t hang a big ugly mess of wires off the curtain rods. That’s why [jeevanAnga] used a tiny (16.6 x 11.5 mm) BLE board knows as a BluChip.

We didn’t verify it, but [jeevanAnga] claims it is the smallest BLE board available, and it is certainly tiny. You can see the result in the video below.

Continue reading “It’s Curtains For Blu Chip”

Mission Impossible: Infiltrating Furby

Long before things “went viral” there was always a few “must have” toys each year that were in high demand. Cabbage Patch Kids, Transformers, or Teddy Ruxpin would cause virtual hysteria in parents trying to score a toy for a holiday gift. In 1998, that toy was a Furby — a sort of talking robot pet. You can still buy Furby, and as you might expect a modern one — a Furby Connect — is Internet-enabled and much smarter than previous versions. While the Furby has always been a target for good hacking, anything Internet-enabled can be a target for malicious hacking, as well. [Context Information Security] decided to see if they could take control of your kid’s robotic pet.

Thet Furby Connect’s path to the Internet is via BLE to a companion phone device. The phone, in turn, talks back to Hasbro’s (the toy’s maker) Amazon Web Service servers. The company sends out new songs, games, and dances. Because BLE is slow, the transfers occur in the background during normal toy operation.

Continue reading “Mission Impossible: Infiltrating Furby”