Reverse Engineering fun for just 9.33 € + shipping

This article is a brief introduction to the reverse engineering of a Bluetooth LE Temperature and Humidity sensor and data logger. This is done, according to the EU reverse engineering law, only for interoperability purposes. The device is called SensorBlue or ThermoBeacon or ORIA on Aliexpress and here is a photo of what you get:

SensorBlue

You can download an Android application to get you started and test the device. Next we will see some tools useful to inspect a Bluetooth device. For reference, the MAC address of my device is 70:F1:00:00:0F:7B.

bluetootctl

bluetootctl is a tool to gather the basic information about a Bluetooth LE device. A typical session is:

[bluetooth]# power on
[bluetooth]# scan on
Discovery started
[CHG] Device 70:F1:00:00:0F:7B RSSI: -42
[CHG] Device 70:F1:00:00:0F:7B TxPower: 0
[CHG] Device 70:F1:00:00:0F:7B ManufacturerData Key: 0x0010
[CHG] Device 70:F1:00:00:0F:7B ManufacturerData Value:
  00 00 7b 0f 00 00 f1 70 f1 0b 44 01 a4 03 39 4c  ..{....p..D...9L
  09 00            
[bluetooth]# connect 70:F1:00:00:0F:7B
Attempting to connect to 70:F1:00:00:0F:7B
[CHG] Device 70:F1:00:00:0F:7B Connected: yes
Connection successful
...
[NEW] Characteristic (Handle 0xc0ee)
    /org/bluez/hci0/dev_70_F1_00_00_0F_7B/service001f/char0020
    0000fff5-0000-1000-8000-00805f9b34fb
    Unknown
[NEW] Characteristic (Handle 0xc0ee)
    /org/bluez/hci0/dev_70_F1_00_00_0F_7B/service001f/char0023
    0000fff3-0000-1000-8000-00805f9b34fb
    Unknown
...
[bluetooth]# connect 70:F1:00:00:0F:7B
Attempting to connect to 70:F1:00:00:0F:7B
[CHG] Device 70:F1:00:00:0F:7B Connected: yes
Connection successful
[CHG] Device 70:F1:00:00:0F:7B ServicesResolved: yes
[ThermoBeacon]#

Here I copied:

  • the advertising result, which is used for current/maximum/minimum temperature, current humidity and battery level. You can already easily spot the MAC address in the message.

  • the 2 GATT characteristics which will be used for the complete dump of the data log.

Inspecting the HCI communication on Android

The answers to this Stack Overflow question describes how it is possible to capture the log of the communications on Android phone. Unfortunately, the linked btsnooz.py utility doesn't work. It is easy to fix it by looking into the repetition of the length field in the records and the limited number of packet types. I uploaded a fixed version.

The HCI log is very detailed and low level, so a bit difficult to follow. However, it is very useful to guess the right sequence of writes/reads to GATT characteristics.

Decompiling the Android APK

You need to have a rooted phone and download the App APK file. The, you can use jadx or directly the on-line decompiler to do the task. The result is not perfect, because the App is written in Kotlin and jadx has some problems with nested exception. However, also the JVM assembler is pretty easy to follow. The key points are:

  • Function onLeScan in CurrentActivity.java to understand the fields in the advertisement.

  • File LoggingActivity.java for the whole log dump. This is a bit difficult to follow, because of the callback style: the HCI snoop log was very useful to quickly identify the program flow.

Summary

The end result is the Python program sensor_blue_adv.py which allows you to get the current temperature/humidity or dump the whole data log from you Linux system. You need to have bluez and the Python package dbus-next installed.

This entry was posted in Android, Linux desktop. Bookmark the permalink.

Comments are closed.