Sniffing, Reverse Engineering, and Coding the ESP32 Bluetooth LE Part 1 of 3
Переглядів 35,685
День томуLearn to Sniff Bluetooth traffic, reverse engineer a custom protocol, and then code an embedded app on the ESP32 to leverage the protocol. Sniffing Bluetooth is not difficult and this 3 part series gets your started!
Part 1 covers the nRF52840 device and the installation of Wireshark, Python, and the Nordic nRF sniffer software on Windows 10.
Nordic Instructions: infocenter.nordicsemi.com/ind...
Any action you take upon the information in my UKposts videos or related schematics/stl/source code/additional content is strictly at your own risk and I will not be liable for losses, damages, or injuries in connection to the use of the videos or the recreation of the projects in the videos. I am NOT a professional Electrical Engineer, nor am I licensed as an EE.
@SuperBernala 2 місяці тому
Only discoverd this 2 years after t was posted, but what a GREAT tutoral series. All 3 videos are straight forward, simple to udestand, and he assumes NO PRIOR KNOWLEDGE. Excellent work; that is how you do a tutorial. Subscribed.
@StuartPatterson 2 місяці тому
Thank you!
@kylemattfield4431 Рік тому
Stuart, thanks for the great info and the fantastic video!
@StuartPatterson Рік тому
Glad you enjoyed it
@patadia Рік тому
Exactly what i was looking for. Thank you for sharing
@StuartPatterson Рік тому
Glad it was helpful!
@bloodfire29 2 роки тому
Man this is amazing! Share more of your knowledge please :) I’m currently trying to reverse engineer some Japanese light switch controlled by bluetooth. Not sure I’ll be successful but I’m following your steps
@StuartPatterson 2 роки тому
I got lucky because the light was pretty easy once I looked at the data, but thank you for the kind words!
@zoenagy9458 8 місяців тому
I subscribed!
@StuartPatterson 8 місяців тому
Thank you!
@rpavlik1 3 роки тому
Good timing, I recently got the (original) nrf52840 dongle, got two of them for $10 each in a recent Digikey order, and had just tried the sniffer the day this video hit Hackaday. I'm keeping one with the stock bootloader for use with the sniffer or nrf connect desktop, the other received stackable headers and the Adafruit uf2 bootloader: somebody has a fork of the Adafruit nrf52 bsp and the platform io support files that add support for the dongle.
@Adam-ee9lm 2 роки тому
Which Digi-Key part did you order ?
@rpavlik1 2 роки тому
@@Adam-ee9lmI went to look... It's the $10 one whose part number is literally NRF52840-DONGLE, apparently
@shufflethemovie 3 роки тому
Great video Stuart. Quick question, would you have any pointers on how to sniff and track paired devices (RSSI), like a Garmin Smartwatch for presence detection for Home Automation?
@StuartPatterson 3 роки тому
I have a future project using an iTAG device where I want to use the RSSI for proximity detection, but I have not started it yet. When I finally get to it I do plan on creating video. However, I have not even had time to research it yet. Sorry.
@shufflethemovie 3 роки тому
@@StuartPatterson that would be wonderful! the main challenge I've noticed is that once the smartwatch is paired with the phone, it stops sending advertising packages, so other BLE devices cannot see the watch.
@StuartPatterson 3 роки тому
@@shufflethemovie Hmm, not sure how to get around that one.
@antonptashnik4179 Рік тому
Thanks for the series, it nicely introduces to BLE sniffing ! One question bothers me is that I suppose other devices may have communication encrypted somehow. It’d be cool if you say how one may identify if any given device uses encryption , and how to sniff such communication in this case
@StuartPatterson Рік тому
Thank you. Agreed. I need to looking into extending the series and cover sniffing encrypted data. I need to personally learn more about it before sharing.
@justinhalsall4077 2 роки тому
Great video! Would this work with the SparkFun Pro nRF52840 Mini?
@StuartPatterson 2 роки тому
Thanks for the kind words! I am not certain but I suspect it would, however I suggest you ask SparkFun to confirm. If you find it does work let me know and I will start a list of compatible devices in the video description.
@ustulcik 2 роки тому
WOW great video, thanks for sharing. I really can't find where to buy this dongle. Are they still selling it ? is this technique working with not low energy bluetooth devices (old bluetooth) ?
@StuartPatterson 2 роки тому
You should be able to find a Nordic nRF52840 for $10-$15 USD. You might have to install the firmware on the device. Mine came with it already installed. I have not worked with Bluetooth Classic so I can not say, sorry.
@stefankasmannhuber3750 Рік тому
Hey great video! But I am pretty new to bluetooth and i still have a question. I am trying to make a universal remote control (including 3 infrared remote controls and 2 bluetooth) with a esp32. The 2 bluetooth remotes are firestick TV and T-mobile box remote controls. And before i buy the nRF sniffer, i would like to know if it should be possible to read the communication of the firestick/t-mobile remote, or could it be, that the communication is somehow encrypted?
@StuartPatterson Рік тому
Sadly encryption is always a possibility. I would search online to see if anybody has decoded the fire stick remote.
@reverseiscool3637 8 місяців тому
Hello, I wanted to say that you are really creating awesome content. I have a question: Can ESP32 be turned into a BLE sniffer? If yes, can you share a link for guidance? Or maybe a video about it would be great. Because I don't find anything about it. Thank you and I wish you the best! 🙏
@StuartPatterson 8 місяців тому
Thank you very much for the positive comment! I did a little research and found this GitHub project that might be the solution: github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer It looks promising and I will add it to my list of topics to research and create a video on! Thanks again!
@mirkowachter3323 Місяць тому
Great video series! I just got my sniffer and wanted to try it out, but I don't get any ATT packages (only LE, mostly advertising and scans) with my sniffer though I am definetly sending gatt writes (since I a programmed the client myself) and the other devices is answering. (I can see my advertising packages) It's a connection without bonding. Do I need to listen on some other channel or something?
@StuartPatterson Місяць тому
Hmm, honestly not sure. It has been a long time since I’ve done much BLE stuff. Sorry.
@mirkowachter3323 Місяць тому
@@StuartPatterson thanks for the quick response! Maybe I can find out myself
@mirkowachter3323 Місяць тому
In case others have the same problem: I think the sniffer didnt get the "new connection" package (CONNECT_IND), which it uses to follow a connection. With a differenct device combination it works (which luckily was the device I wanted to sniff anyway).
@StuartPatterson Місяць тому
@@mirkowachter3323 Thanks for sharing! As you stated, might help others in the future!
@uscjake868 2 роки тому
Thanks! Is the ubertooth anything special or does the nordic dongle do what you need for packet capture?
@StuartPatterson 2 роки тому
The Ubertooth looks very interesting but I do not have one to try.
@uscjake868 2 роки тому
@@StuartPatterson getting it to work is a pain. The dependencies are dated and hard to install. I was using a VM, so that could be part of it. I was able to retrieve the LAP.
@jwdsoft Рік тому
Thanks for this great tutorial I followed along and tried testing it on bluetooth classic but it seems like it only works for bluetooth LE Is there a way to sniff Bluetooth classic Thank you
@StuartPatterson Рік тому
Thanks! Unfortunately I have not done any work with Bluetooth Classic, so I can't really answer the question. Sorry.
@mikepulice20 2 роки тому
I've been doing Bluetooth a long time but always at a company that supplied expensive sniffers. Tech has come a long way lol I am at the point I really need to get better at the filtering for this sniffer so I can quickly find my GATT Attributes and such. Any source for good filtering for this sniffer after connection?
@StuartPatterson 2 роки тому
Looks like you found it in video #2!
@bennguyen1313 3 роки тому
Can the Bluetooth Serial CDC profile be run as "Low-Energy"? For example, could I use transmit serial ascii data from a usb/bluetooth dongle (ex. HC-06, HM-10) and pick-it up using a BLE receiver (android), etc?
@StuartPatterson 3 роки тому
Not sure. Sorry.
@rpavlik1 2 роки тому
BLE and Bluetooth Classic have almost nothing in common. There's no serial device protocol in BLE by default/standard, but Nordic did publish their own. Not sure if there are any of those little Bluetooth serial modules that speak it though.
@bennguyen1313 2 роки тому
@@rpavlik1 Thanks, are the BT4/5 chipsets in phones backwards compatible.. i.e. can they revert to Classic mode? I'd like to use a bt-classic-dongle and desktop app (flutter, electronjs, neutralinojs, tauri etc) to talk to an android.
@piotrekmezyk9413 11 місяців тому
Thank you for the tutorial! I followed your steps trying to reverse Tuya drawer lock but it din not work. I can connect for a while to the device via nRF Connect (for mobile and for desktop versions), i know devices’ name and adress, but it does not show in Wireshark. Even if I try to add the LE adress (according to NS’ infocenter) it does not help. Any idea how I could sniff this communication between the Tuya’s app and the device?
@StuartPatterson 11 місяців тому
Not sure, but I just ordered one from Temu. Once I get it I will play around and see if I can figure it out. No promises, but we might get lucky!
@piotrekmezyk9413 10 місяців тому
@@StuartPatterson that's great! I'd be grateful for any advice, even without such video tutorial!
@StuartPatterson 10 місяців тому
Well, I have been playing around with the tuya smart drawer switch for a few hours now. It does use encryption as identified by LL_FEATURE_REQ (0x08) opcode sent and the returned LE Encryption bit being set. I looked at the encryption to see how complex it is and I was not able to decode it, however I know very little about encryption. I also tried to replay the unlock and it seems, and I could be wrong, but that each request required a new encrypted code. Sorry, I was hoping I would figure it out, but this one pretty well written, at least in my opinion.
@piotrekmezyk9413 10 місяців тому
@@StuartPatterson Thank you for your job! It seems I will have to use Tuya's libraries to use this lock.
@ibrahim.qaladze6879 Рік тому
Hello very nicely prepared video, but I have a question please very important to me if you answer me thank you Is there anything I can give my laptop to extend the range of Bluetooth at least 100 meters to 200 meters? Is there any way I can transfer pictures? Please give me the name of anything. Thank you
@StuartPatterson Рік тому
Thanks you for the comment. I am not aware of any Bluetooth extenders or add on antenna, but they could exist. As for transfer binary data that should be possible but I don’t have an example. Good luck.
@king_wing34 2 роки тому
can i use any bluetooth dongles? or only nrf ones?
@StuartPatterson 2 роки тому
I have only used the nrf52480.
@king_wing34 2 роки тому
@@StuartPatterson thanks for replying :) so I tried it with my bluetooth module... and it didn't work...... probably mine was not a sniffer type.. then i found out that android phones can do something similar by enabling a special option in developer mode, and so i tried that... it worked.. but it doesn't keep updating a file it makes that holds all that bluetooth sniff data... have you ever tried that and got it to keep updating the file?
@StuartPatterson 2 роки тому
@@king_wing34 No, I need to get an Android tablet or something to play around with that setting. Currently using iOS stuff.
@user-jr5cp5xd7c 2 роки тому
Can you help me? I did everything exactly as in your instructions, but at the launch stage I do not receive packets, although I see devices and their signals in the list. what could be the problem?
@user-jr5cp5xd7c 2 роки тому
but on my linux all is fine. very strange
@StuartPatterson 2 роки тому
Guessing, but it might be an issue with python on the windows machine. I would confirm it is in the system path and it launching properly. It has been a while since I used this technique so you might have to roll up your sleeves and debug the issue.
@user-jr5cp5xd7c 2 роки тому
@@StuartPatterson I hope I can solve this problem, thanks for the advice!
@StuartPatterson 2 роки тому
Me too. If you do figure it out please post the solution back here in case some has a similar problem. The python add in is what you should be looking at, at least in my opinion.
@user-jr5cp5xd7c 2 роки тому
@@StuartPatterson ok!
@samcurfman8494 3 роки тому
Can all of this be done on macOS as well?
@StuartPatterson 3 роки тому
Not sure.
@totoxahc 3 роки тому
Documentation says it can be done
@tj_1260 2 роки тому
Ok
Stuart Patterson
Переглядів 18 тис.
Matt Brown
Переглядів 22 тис.
FLIP FLOP Hacks
Переглядів 11 млн
Low Level Learning
Переглядів 1,2 млн
Dan's React Native Lab
Переглядів 35 тис.
Matt Brown
Переглядів 8 тис.
Stuart Patterson
Переглядів 10 тис.
ASMR Detected
Переглядів 46 тис.
300 000 за🚀МОЩНЫЙ, Но МЕРТВЫЙ ноут из Китая. Ремонт cyberpowerpc tracer 7 EDGE. Нюансы китай ноутов.
ААНТ КОНТАКТ Сервис по ремонту техники в ЕКБ, СПБ
Переглядів 60 тис.