Sniffing, Reverse Engineering, and Coding the ESP32 Bluetooth LE Part 2 of 3

3 роки тому

Learn to Sniff Bluetooth traffic, reverse engineer a custom protocol, and then code an embedded app on the ESP32 to leverage the protocol. Sniffing Bluetooth is not difficult and this 3 part series gets your started!
Part 2 - We sniff the BLE traffic from the Lumin+ RGB Lamp and the smart phone application, we reverse engineer the traffic, and we send back the commands to the Lumin+ using nRF Connect.
Now that we know the service, characteristics, and values, in part 3 we can write embedded code for the ESP32 to control the lamp.
Lumin + BLE Smart Light - www.fivebelow.com/products/lu...
Bluetooth Developers Guide - www.bluetooth.com/blog/a-deve...
Bluetooth Discovery - www.bluetooth.com/specificati...
Any action you take upon the information in my UKposts videos or related schematics/stl/source code/additional content is strictly at your own risk and I will not be liable for losses, damages, or injuries in connection to the use of the videos or the recreation of the projects in the videos. I am NOT a professional Electrical Engineer, nor am I licensed as an EE.

КОМЕНТАРІ: 55

@roguesecurity 2 роки тому

This is such a unique content. It's hard to find any BLE sniffing related article on the internet. I wonder why these videos have less viewers. Thanks Stuart for sharing this. Its awesome !!

@StuartPatterson 2 роки тому

You are very welcome and thank you for the kind words.

@dafaklmgkslnmgkl909 2 місяці тому

A little late but so far the best explanation for me. Very fun to watch.

@StuartPatterson 2 місяці тому

Thanks! You can do a lot with your smart phone now! Check out nRF Connect.

@mikepulice20 2 роки тому

Ah ha! I commented on the first video about Filtering and this one shows it super easy. Thanks

@StuartPatterson 2 роки тому

Glad you found it!

@mikepulice20 2 роки тому

I used nRF Connect for a while and found LightBlue to be much more user-friendly from the desktop.

@StuartPatterson 2 роки тому

I’ll have to check it out! Thanks.

@m.m.m.c.a.k.e Рік тому

Get her an Oura Ring…the lightbulb can indicate her mood 🤭

@gwendaldelisle-arnold5638 Рік тому

Been looking for this video for months of being stuck with my bluetooth lights and no way to program them. If only the manufacturers made a 15 line readme for developpers this would be much easier but, guess not !

@StuartPatterson Рік тому

Glad you found it! Agreed!

@IrfanAli-jl7vb Рік тому

This is an excellent series Stuart. . I am about to order a Nordic nrf5280 dongle. Have you had any experience in using the drivers on mac. The nordic datasheet appears to state that it should work on mac also, but i have also seen some posts saying having the driver and capture work on mac has been an issue. Also would it be possible for you to upload a subset pcap packets from your capture to the bitbucket site that you have in part 3 of the series. Thank you.

@StuartPatterson Рік тому

Thanks for the kind words. Sorry, but I don’t have an experience with using the capture on a Mac. The machine I used for the videos has been rebuilt and I don’t have any of the sample captures. I should have put them up on bitbucket when I had them. Sorry.

@Steve3dot1416 2 роки тому

Very good serie. Good rythm and clear. Do I need a specific sniffer for either Bluetooth LE and "normal" Bluetooth? Maybe "normal" Bluetooth will cover the "Bluetooth LE" subset as well?

@StuartPatterson 2 роки тому

Thank you! I have not tried sniffing older bt devices. The nrf52480 states compatibility with bluetooth 5. I know the spec supports backward compatibility but where does that end in terms of reverse engineering, the nrf52480, and the software, I am uncertain.

@user-jr5cp5xd7c 2 роки тому

Thanks for that amazing video! So specially information. Can you explain for me please, what's principal different between ubertooth and nrf52840? And what about packets injection?

@StuartPatterson 2 роки тому

Thank you! I have not looked at the Uber tooth so can’t really offer any insight. Sorry.

@diordteuguf93 8 місяців тому

Tried reproduce command to locate a Tile Pro from 2020 version but seems the write commands values changes every time.. I think there is some dynamic algorithm via software that don't let you replay same attack/commands... The goal is simply locate (reproduce the sound in Tile) and then turn off (stop the sound for locate it), but no luck.. did you try with these types of devices? I succeded with others like a 360fly camera

@StuartPatterson 8 місяців тому

No, sorry. I never play around with the Tile Pro.

@diordteuguf93 8 місяців тому

Thanks! Seems devices with random values in part of the write value command have good code and are protected against replay attacks. It means they are very strong and secure right? Did you experience this behavior in other BLE devices?

@StuartPatterson 8 місяців тому

@@diordteuguf93 I have seen similar behavior in a few devices recently. It looks like encryption to me. I just saw this in a draw lock.

@omarel 2 роки тому

I'm curious into testing it with my building's washer/dry system that uses a bluetooth based app to send start commands. I wanna see if it's possible to replicate the signal. the app is a very popular one used for contactless vending.

@StuartPatterson 2 роки тому

That sounds very interesting. Good luck!

@wannes5165 Місяць тому

Hi, thank you for this great tutorial. I followed your guidelines, and got to the point where I have a list of UUID's and values which were sent to my treadmill. however, when I send the same values to the UUID in nrf connect, nothing happens. no response whatsoever. any thoughts?

@StuartPatterson Місяць тому

So, you sent it commands via the treadmill app, captured the communications and then sent the same commands via nRF and it did not work? More comms are being encrypted all the time. Check to see if your treadmill has an open api.

@Tjeanba 2 роки тому

Dear Suart, thanks a lot for these videos. I have learnt a lot. (These last 3/4 days) I bought a NRF52480 dongle, set up wireshark and now can see the packets of my BLE device. However this BLE device (a BT light dimmer) is connected to a bluetooth mesh, which requires packets decryption. Then I looked for the convenient keys to decrypt data in wireshark and this is done. I do not have directly a value available in ATT command, however there is additional information under a Bluetooth mesh caption. I can there read a a decrypted key 8206 (Opcode) A4BO (Level) 99 (TID) 00 (Transition Time) 00 (Delay). Level corresponds to the light level of the BLE light dimmer, and 8206 the service that enables one to set the light level. Would you have any experience with Bluetooth mesh ? I would be very happy to control the dimmer with my esp32 at the end.

@Tjeanba 2 роки тому

Forgot to mention that I do not manage to send any message with nrF connect which suceeds to control my dimmer (the way you do with the bubl)

@StuartPatterson 2 роки тому

Sorry, I have not played around with Bluetooth mesh at all..if you figure it out don’t hesitate to post a reply for others to learn from. Thanks you.

@Tjeanba 2 роки тому

@@StuartPatterson I will do for sure. Thanks again Stuart.

@natezimmer4489 2 роки тому

Mybad if I missed it, but were you actually sniffing through a frequency hoping BLE connection? If that smart device was communicating on a fixed channel, this approach would seem to be rather limited in utility. Can that sniffer sniff & follow a hop pattern?

@StuartPatterson 2 роки тому

It is my understanding that the setup I show does handle BLE frequency hoping. It is not mentioned because it is basically abstracted out by the hardware being used.

@IncaTrails 3 роки тому

I picked up one of these lights to practice with. Running the latest wireshark (3.4.5)and sniffer code. @ 12:43 you show a decoded write packet. My decoded packet is slightly different. I show Handle: 0x0009 (Unknown) Not (Unknown: Unknown) and there is no caret next to Handle so I can expand to see the UUIDs. I can see the Value. Without the service and characteristic UUIDs reverse engineering a protocol is impossible. Any ideas on how to fix?

@StuartPatterson 3 роки тому

I am running wireshark 3.4.5 Are you sure it was a "Sent Write" command from your phone app and not an advertisement from the lamp? I have seen it drop "packets" before depending on the location of the dongle and the phone. Try sending the color command a few times then sort them by the "Sent Write" and see if that helps.

@ten_gabriel 2 роки тому

Hi, I've the same issue. How did you have solved?

@AlessandroTischer Рік тому

Hi! I'm about to try this with my lawn mower,. I just have a question: the native app always asks for the pin (set on the mower itself) before accessing the device. Would this still be sniffed or could this bring to a dead end? Thank you!!

@StuartPatterson Рік тому

You should still see the traffic, however the data could be encypted. Could be, is the key.

@AlessandroTischer Рік тому

@@StuartPatterson hope so, we'll see! Thanks!!

@sebastianorozco5437 5 місяців тому

hello Stuart Patterson I have a question about this video, Sniffing, Reverse Engineering, and Coding the ESP32 Bluetooth LE Part 2 of 3, you can do the same thing you did with the lamp and the iPad, with an iPhone 13 and some top-of-the-line airpods pro Generation, I mean, can I also capture those packets from the master and slave just like you did, when they connect or play music?

@StuartPatterson 5 місяців тому

More and more devices are now using encryption. You can download nRF connect on your phone/tablet and look at the traffic without the external sniffing hardware and wire shark. Give it a shot and let me know what you find!

@DM-uo2tn Рік тому

Can you do the same thing with a temperature sensor

@StuartPatterson Рік тому

A BLE temp sensor? Possibly. Try using the nRF connect app on your mobile to see the traffic from the phone to the sensor. Good luck and have fun!

@DM-uo2tn Рік тому

I have two blue tooth temperature sensors that connect to wireless once configure the device they can connect both via wireless and bluetooth but in either case I can't see their packets in wireshark. I have the Mac addresses, downloaded a bloothscanner then I tried hciconfig etc.... I can scan to get the Mac addresses but after that I am unable to analyze packets. Tried using btscanner, that didn't work any advice

@StuartPatterson Рік тому

@@DM-uo2tn That is very odd. If they work in either WIFI or BLE then I would think you could easily see the WIFI traffic in wireshark. Sorry man, I don't have anything to offer. Good luck.

@orbita1 3 роки тому

I made my own adafruit nrf52 board (nrf52832 - essentially a MDBT42 breakout), all steps went well and I can see the board spitting out data in realterm, but in wireshark i get the errors 'nrf sniffer for bluetooth le could not find interface: com15', also 'error by extcap pipe: FIFO does not exist'. Wireshark also (obviously) isn't showing any data. any idea?

@StuartPatterson 3 роки тому

Sounds cool making your own nrf52 board! Sorry, but not sure what the root cause of the problem is, but I would reinstall extcap if you have not done so. Check your version of Python. Also, I am assuming you had no issues when installing the firmware on your nrf52.

@orbita1 3 роки тому

@@StuartPatterson Hey! Thanks, a few years ago i added the teensy 3.2 reference design to essentially the adafruit nrf52 design, with the DRV haptic controller and a few other bits, and i thought it'd be cool if i could get the nrf sniffer working on it since i wasn't using the board for anything else (luckily found out i could sniff ble through your feature in hackaday). The great news is I finally found the solution after about 2 hours of bashing my head against the wall: devzone.nordicsemi.com/f/nordic-q-a/16440/sniffer-for-nrf52832 I downloaded and burnt the firmware 'hung bui' posted in the link above which seems to have altered the pins for RX, TX, RTS, CTS to match my nrf52832, after a short pause i can now see data - my upstairs' TV spits out an awful lot of data.

@StuartPatterson 3 роки тому

@@orbita1 Awesome! Glad you figured it out and thanks for including the link for others! Yeah my smart TV is the same way, in terms of ble chatter, and I've been toying with the idea of a future project to make it do something interesting, just not sure what yet.

@rpavlik1 3 роки тому

That's a pretty decent device, actually. With the protocol understood, it could make a pretty decent little standalone status beacon or similar. I might get one for an air quality indicator: this last year, we managed to avoid infectious disease but discovered just how bad asthma and allergies actually were when we couldn't blame it on a cold.

@StuartPatterson 3 роки тому

Nice idea!