bluetooth

582 Articles

Simple Bluetooth Car Audio From A Pi Zero

August 13, 2019 by 24 Comments

When [Sami Pietikäinen] realized that the Bluetooth built into his car didn’t support audio, he didn’t junk it and buy a Tesla. Instead, he decided to remedy the problem by building a small Bluetooth device that plugged into the Aux socket. To do this, he used a Raspberry Pi Zero with a pHAT DAC (Digital to Audio Converter). That’s perhaps using a sledgehammer to crack a walnut, but sometimes you work with what you have. The interesting part is to be found in what he did next: he used Yocto to optimize the device down to make it as simple and straightforward as possible.

Continue reading “Simple Bluetooth Car Audio From A Pi Zero”

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

August 10, 2019 by 9 Comments

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.

A Better Embroidery Machine, With 3D Printing And Common Parts

August 7, 2019 by 31 Comments

In concept, an everyday sewing machine could make embroidery a snap: the operator would move the fabric around in any direction they wish while the sewing machine would take care of slapping down stitches of colored thread to create designs and filled areas. In practice though, getting good results in this way is quite a bit more complex. To aid and automate this process, [sausagePaws] has been using CNC to take care of all the necessary motion control. The result is the DIY Embroidery Machine V2 which leverages 3D printed parts and common components such as an Arduino and stepper drivers for an economical DIY solution.

It’s not shown in the photo here, but we particularly like the 3D printed sockets that are screwed into the tabletop. These hold the sewing machine’s “feet”, and allow it to be treated like a modular component that can easily be removed and used normally when needed.

The system consists of a UI running on an Android tablet, communicating over Bluetooth to an Arduino. The Arduino controls the gantry which moves the hoop (a frame that holds a section of fabric taut while it is being embroidered), while the sewing machine lays down the stitches.

[sausagePaws]’s first version worked well, but this new design really takes advantage of 3D printing as well as the increased availability of cheap and effective CNC components. It’s still a work in progress that is a bit light on design details, but you can see it all in action in the video embedded below.

Continue reading “A Better Embroidery Machine, With 3D Printing And Common Parts”

The Bluetooth LCD Sniffer You Didn’t Know You Needed

July 29, 2019 by 16 Comments

At one time or another, we’ve all suffered through working with a piece of equipment that didn’t feature a way to export its data to another device. Whether it was just too old to offer such niceties, or the manufacturer locked the capability behind some upgrade, the pain of staring at digits ticking over on a glowing LCD display and wishing there was a practical way to scrape what our eyes were seeing is well known to hackers.

That was precisely the inspiration for DoMSnif, the dot matrix LCD sniffer that [Blecky] has been working on. Originally the project started as a way to record the temperature of his BRTRO-420 reflow oven, but realizing that such a device could have widespread appeal to other hardware hackers, he’s rightfully decided to enter it into the 2019 Hackaday Prize. If perfected, it could be an excellent way to bolt data capture capabilities to your older devices.

The first phase of this project was figuring out how to capture and parse the signals going into the device’s KS0108 LCD. Getting the data was certainly easy enough, he just had to hook a logic analyzer up between the display and the main board of the device. Of course, figuring out what it all means is a different story.

After running the oven for a bit with the analyzer recording, [Blecky] had more than enough data to get started on decoding it. Luckily, the layout of this fairly common 128×64 pixel display is well documented and easy enough to understand. With a little work, he was able to create a tool that would import the captured data and display it on a virtual LCD.

Unfortunately, the Bluetooth part is where things get tricky. Ultimately, [Blecky] wants to ditch the logic analyzer and use a Adafruit Feather nRF52 Bluefruit to capture the signals going to the LCD and pipe them to a waiting device over Bluetooth. But his testing has found that the nRF52’s radio is simply too slow. The display is receiving data every 14us, but it takes the radio at least 50us to send a packet.

[Blecky] is looking at ways around this problem, and we’re confident he’ll crack it. The solution could be in buffering and compressing the data before sending it out, though you’d lose the ability to monitor the display in real-time. Even if he has to abandon the Bluetooth aspect entirely and make the device wired, we still think there would be a market for an easy to use hardware and software solution for scraping LCD data.

The HackadayPrize2019 is Sponsored by:

Popstick Fan Car Is A Fun Bluetooth Build

July 25, 2019 by 5 Comments

Archer fans already know, but for the rest of the world it bears saying – boats are fine, but fan boats are better. It’s much the same with land vehicles, too. [tinkeringtech] felt the same way, and built a Bluetooth-controlled fan car to scoot around the floor. (YouTube, embedded below.)

Construction starts with a series of popsticks glued together to create a chassis. Twist ties are then used to act as axles for bottle cap wheels, while steering is handled by a cardboard rudder controlled by a servo. Propulsion is via a pair of pager-sized motors fitted with fans. An Adafruit Bluefruit Feather M0 runs the show, receiving commands over Bluetooth and driving the motors through an H-bridge chip in the center of the vehicle.

It’s a fun craft-style build that would be a great project for kids interested in electronics and making. It teaches basic electronics, as well as serving as a good introduction into the world of microcontrollers. It’s one of the smaller radio-controlled builds we’ve seen, but you can always go full-scale if that takes your fancy.

Continue reading “Popstick Fan Car Is A Fun Bluetooth Build”

A 3D Printed Micro:Bit Nunchuk

July 8, 2019 by 2 Comments

As [Paul Bardini] explains on the Thingiverse page for his “Micro:Bit Hand Controller”, the Bluetooth radio baked into the BBC’s educational microcontroller makes it an ideal choice for remotely controlling things. You just need to give it a nice enclosure, a joystick, a couple of buttons, and away you go. You can even use the integrated accelerometer as another axis of control. This is starting to sound a bit familiar, especially to gamers.

While it might not come with the Official Nintendo Seal of Quality, the 3D printable enclosure [Paul] has come up with for the Micro:Bit certainly takes more than a little inspiration from the iconic Wii “Nunchuck” controller. He’s jostled around the positions of the joystick and momentary buttons a bit, but it still has that iconic one-handed ergonomic styling.

In a particularly nice touch, [Paul] has built his controller around a Micro:Bit breakout board from SparkFun that allows you to plug the microcontroller in via its edge connector. This means you can pull the board out and still use it in other projects. The only other connection to the controller leads to the battery, which uses a two pin JST-PH plug that can easily be removed.

Thanks to this breakout board, the internal wiring is exceptionally simple. The joystick (the type used in a PS2 controller) and the buttons are simply soldered directly to pins on the breakout board. No passives required, just a few short lengths of flexible wiring to snake through the printed enclosure.

The Thingiverse page only has the STLs for the two halves of the controller, and no source code for the Micro:Bit itself. But it shouldn’t be terribly hard to piece together the basic functionality with example code that’s floating around out there. Especially since you can run Python on them now. Of course, you could also add Bluetooth to the original Wii version if you’re not looking to reinvent the wheel nunchuck.

Booting The Game Boy Advance Into Bluetooth

June 21, 2019 by 8 Comments

While it might not be quite as revered as its predecessor, the Game Boy Advance is arguably the peak of “classic” handheld gaming, before things got all 3D and dual screen on us. One of its best features is the so-called multiboot mode, which allows the GBA to download a program from its link port. Officially this feature was introduced so you could play multiplayer with your friends even if they didn’t have the game cartridge, but naturally it didn’t take long for hackers to realize you can use it to run arbitrary code on an unmodified system.

[Shyri Villar] has put this capability to excellent use with a plug-in board that allows a stock GBA to be used as a general purpose Bluetooth HID controller. Now you can emulate GBA games on your computer while using the real thing as your input device. Or if that’s a bit too redundant for you, then any 2D game you think could benefit from the classic Game Boy control layout.

An ATmega328P on the board initiates the multiboot sequence when the system powers up, and feeds it the GBA program that’s stored on a W25Q32 chip. Once the code is running on the GBA, it communicates with a common HC-05 Bluetooth module through the same link port. To perform this handoff, [Shyri] uses a HCF4066 switch IC to literally change the pin assignments in the connector from the SPI used to upload the ROM to the UART lines of the Bluetooth module.

With everything powered from the 3.3 V provided by the GBA’s link port, and some software niceties like the ability to store Bluetooth pairing information for subsequent device connections, this is actually a very practical gadget. The fact that you can do this on a completely stock GBA is very compelling, especially considering some of the previous Bluetooth Game Boy modifications we’ve seen. Granted the market might be somewhat limited, but with a custom PCB and a 3D printed enclosure, we could see this potentially being a popular accessory for the classic handheld. It’s not like it can be any more niche than using the GBA as a remote display for your multimeter.