New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.

Open Hardware E-Ink Display Just Needs An Idea

Its taken awhile, but thanks to devices like the Amazon Kindle, the cost of e-ink displays are finally at the point where mere mortals such as us can actually start using them in our projects. Now we’ve just got to figure out how to utilize them properly. Sure you can just hook up an e-ink display to a Raspberry Pi to get started, but to truly realize the potential of the technology, you need hardware designed with it in mind.

To that end, [Mahesh Venkitachalam] has created Papyr, an open hardware wireless display built with the energy efficiency of e-ink in mind. This means not only offering support for low-energy communication protocols like BLE and Zigbee, but keeping the firmware as concise as possible. According to the documentation, the end result is that Papyr only draws 22 uA in its idle state.

So what do you do with this energy-sipping Bluetooth e-ink gadget? Well, that part is up to you. The obvious application is signage, but unless you’re operating a particularly well organized hackerspace, you probably don’t need wireless dynamic labels on your part bins (though please let us know if you actually do). More likely, you’d use Papyr as a general purpose display, showing sensor data or the status of your 3D printer.

The 1.54 inch 200×200 resolution e-ink panel is capable of showing red in addition to the standard grayscale, and the whole thing is powered by a Nordic nRF52840 SoC. Everything’s provided for you to build your own, but if you’d rather jump right in and get experimenting, you can buy the assembled version for $39 USD on Tindie.

Scratch Built Smartwatch Looks Pretty Darn Sharp With 3D Printed Case And Round LCD

These days, if you want a smart watch, you’re spoiled for choice. The major smartphone players all have devices on the market, and there’s plenty of third party manufacturers vying for your dollar, too. You might think it’s impossible achieve the same finish with a 3D printer and a reflow oven, but you’re wrong. [Samson March] didn’t quite fancy something off the shelf, though, and instead build an amazing smartwatch of his own.

The beautiful case is printed in a woodfilled PLA — consisting of 70% plastic and 30% sawdust. This allows it to be sanded and stained for an attractive final product. Printing artifacts actually add to the look here, creating somewhat of a woodgrain effect. There’s a round LCD for a more classical watch look, which displays various graphics and even contact photos for incoming messages. Like most smartwatches on the market, it uses Bluetooth Low Energy for communication, and has a rechargeable lithium battery inside. Estimated battery life is approximately one week, depending on the frequency of use, and the recharging base he fabricated is as beautiful as the watch itself.

It’s a tidy build that shows off [Samson]’s design skills, and files are available on GitHub if you’d like to make your own. Laying out the full design in Fusion 360 prior to the build enabled the watch to be optimized for size constraints, creating an attractive and comfortable piece. With that said, if you’re a fan of a more hardcore electronic aesthetic, perhaps something 8-bit might be more your speed.

[via reddit, thanks to Aliasmk for the tip!]

It’s Curtains For Blu Chip

In theory, there is no reason you can’t automate things all over your house. However — unless you live alone — you need to consider that most people won’t accept your kludgy looking circuits on a breadboard hanging everywhere. Lighting has become easy now that there are a lot of commercial options. However, there are still plenty of things that cry for automation. For [jeevanAnga], the curtains were crying out for remote control.

Since cellphones are ubiquitous, it makes sense to use the phone as a controller and BlueTooth Low Energy (BLE) is perfect for this kind of application. But you can’t hang a big ugly mess of wires off the curtain rods. That’s why [jeevanAnga] used a tiny (16.6 x 11.5 mm) BLE board knows as a BluChip.

We didn’t verify it, but [jeevanAnga] claims it is the smallest BLE board available, and it is certainly tiny. You can see the result in the video below.

Continue reading “It’s Curtains For Blu Chip”

Mission Impossible: Infiltrating Furby

Long before things “went viral” there was always a few “must have” toys each year that were in high demand. Cabbage Patch Kids, Transformers, or Teddy Ruxpin would cause virtual hysteria in parents trying to score a toy for a holiday gift. In 1998, that toy was a Furby — a sort of talking robot pet. You can still buy Furby, and as you might expect a modern one — a Furby Connect — is Internet-enabled and much smarter than previous versions. While the Furby has always been a target for good hacking, anything Internet-enabled can be a target for malicious hacking, as well. [Context Information Security] decided to see if they could take control of your kid’s robotic pet.

Thet Furby Connect’s path to the Internet is via BLE to a companion phone device. The phone, in turn, talks back to Hasbro’s (the toy’s maker) Amazon Web Service servers. The company sends out new songs, games, and dances. Because BLE is slow, the transfers occur in the background during normal toy operation.

Continue reading “Mission Impossible: Infiltrating Furby”

Reverse Engineering A BLE Service To Control A Light Bulb

So, you buy an Internet of Things light bulb, it’s a fun toy that allows you to bathe your environment in pretty colours at the touch of an app, but eventually you want more. You start to wonder how you might do more with it, and begin to investigate its inner workings. Then to your horror you discover that far from having bought a device with a convenient API for you to use, it has an impenetrable closed protocol that defies easy access.

This was the problem facing [Ayan Pahwa] when he bought a Syska Smartlight Rainbow LED bulb, and discovered that its Bluetooth Low Energy  interface used a closed protocol. But instead of giving up, he proceeded to reverse engineer the communication between bulb and app, and his write-up makes for an interesting read that provides a basic primer on some of BLE’s workings for the uninitiated.

BLE allows a device manufacturer to define their own device service specific to their functionality alongside standard ones for common device types. Using a handy Android app from Nordic Semiconductor he was able to identify the services defined for the light bulb, but sadly they lacked any human-readable information to help him as to their purpose. He thus had to sniff BLE packets directly, and lacking dedicated hardware for this task he relied on a developer feature built into Android versions since KitKat, allowing packets to be captured and logged. By analysing the resulting packet files he was able to identify the Texas Instruments chip inside the bulb, and to deduce the sequences required to control its colours. Then he was able to use the Bluez utilities to talk directly to it, and as if by magic, his colours appeared! Take a look at the video we’ve placed below the break.

Many of us may never need to reverse engineer a BLE device. But if we are BLE novices, after reading [Ayan]’s piece we will at least have some idea of its inner workings. And that can only be a positive thing.

Continue reading “Reverse Engineering A BLE Service To Control A Light Bulb”

Which Wireless Tech Is Right For You?

It seems these days all the electronics projects are wireless in some form. Whether you choose WiFi, Bluetooth Classic, Bluetooth Low Energy, ZigBee, Z-Wave, Thread, NFC, RFID, Cell, IR, or even semaphore or carrier pigeon depends a lot on the constraints of your project. There are a lot of variables to consider, so here is a guide to help you navigate the choices and come to a conclusion about which to use in your project.

We can really quickly reduce options down to the appropriate tech with just a few questions.

Continue reading “Which Wireless Tech Is Right For You?”