Reverse engineering a BLE clock
Perfect Time
What do you do when all your Bluetooth clocks show slightly different times? With some reverse engineering, you can write a Python program to synchronize your clocks.
A while ago, I bought a ThermoPro TP358, a Bluetooth Low Energy (BLE) digital thermometer with a display. The ThermoPro shows the temperature, humidity, and air comfort indicator, as well as the time and day of the week. Its big display is nice for immediate feedback, but the device also lets you read its values and view graphs in the ThermoPro Sensor app, available on Android and iOS (Figure 1). Moreover, every time you connect to the device with the app, it synchronizes the time.
While that is a nice feature, I have a couple of other types of Bluetooth sensors with a clock, and I didn't want to use multiple apps to view the sensor measurements and synchronize the clocks. For the sensor measurements, a solution already exists: Software such as Home Assistant [1] supported my devices out-of-the-box, letting me view their measurements in Home Assistant's dashboard. However, I couldn't find any solution that let me synchronize the time across all of my Bluetooth clocks without using the individual apps.
From past experience reverse engineering other Bluetooth devices, I knew that it should be possible to intercept the synchronization commands between my Android phone and the clock. My plan was to figure out the meaning of the commands and then reimplement the same time synchronization command in a Python script that I could run once a day on a Raspberry Pi. This article describes how I did this for the ThermoPro TP358, but you can use the same procedure with any other BLE device.
Investigating BLE Traffic Logs
There are various ways to intercept BLE traffic. If you're investigating BLE packets sent and received by an Android app, an easy way is to let your phone log its Bluetooth packets while using the app, then transfer the logs to your computer, and open the logs with Wireshark [2] to go through the recorded Bluetooth traffic.
Wireshark is a powerful open source network protocol analyzer. Network administrators use it to analyze network problems, and it also comes in handy to troubleshoot a WiFi or Ethernet network at home. Wireshark can also capture other protocols, including Bluetooth, live or from logs.
To transfer the Bluetooth logs from your phone to your computer, you need the Android Debug Bridge (adb). Most distributions have both Wireshark and adb in their official repositories, so you can install them with your distribution's package manager. If not, you can find Wireshark on its website and adb as part of the Android SDK Platform Tools [3] package.
Preparing Your Phone
First you need to enable USB debugging on your Android phone. This can differ on some models, but generally you need to go to Settings, tap About phone, then Software information, and finally tap Build number seven times. Then enter your PIN to unlock the Developer options menu, which will appear in your Settings menu.
Now, reopen the Settings menu, go to the new Developer options menu, and switch on USB debugging (Figure 2). Then tap on Enable Bluetooth HCI snoop log. After this, disable and re-enable Bluetooth to start logging Bluetooth traffic.
Synchronizing Time
Now open the app and let it connect to your BLE device. After clicking on Add Device, the app finds all ThermoPro clocks in the vicinity. Tap the plus sign next to one of the clocks. The app then connects to the device, downloads sensor measurements, and synchronizes the time. Then close the app, and write down the current date and time. In my case, this was Sunday, March 5, 2023 at 11:01.
Because the app has communicated with the device, there should be some Bluetooth packets logged. Connect your phone to your computer via USB. Your phone will ask to allow the computer access. Confirm this, and then run the following command on your computer:
adb devices
This should show your phone as an attached device. If you haven't confirmed access yet on your phone, the device will be listed as "unauthorized."
Thanks to adb, you can generate a bug report file, which is a ZIP file including the btsnoop_hci.log
file you need in FS/data/log/bt
. Generate this bug report file and transfer it to your computer with:
adb bugreport
This can take a while, but the resulting file will have a name like dumpstate-2023-03-05-11-07-00.zip
, from which you will extract FS/data/log/bt/btsnoop_hci.log
.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.