Reverse engineering a BLE clock

Investigating the BLE Traffic

You can now unplug your phone from your computer. I also recommend disabling USB debugging and the Bluetooth HCI snoop log if you no longer need them. Disable and re-enable Bluetooth to stop logging.

Now start Wireshark and open the File | Open menu. Select the btsnoop_hci.log file you extracted. Wireshark now shows you the logs from your phone's Bluetooth Host Controller interface. From here, you can start your investigation.

Wireshark shows each BLE packet in a row with columns for the packet number, the time (seconds since the start of the log), the source, protocol, and some information. When the source is controller or host, these are low-level packets you're not interested in. Scroll through the list until you encounter the name of your phone or the BLE clock in the Source column.

The phone or BLE clock packets show that your phone starts connecting and asking for the different types of information that your clock offers as BLE services and characteristics. There are a lot of packets flowing in both directions, so it's a bit like searching for a needle in a haystack. However, you are looking for something very specific: a date and time written by the phone to a characteristic of the clock. You can filter the packets on those writes.

Filtering the Write Packets

Under the Info column, you will see some packets with Sent Write Request and others with Sent Write Command. A Write Request expects a Write Response, while a Write Command doesn't. However, you don't know beforehand which ones the app uses to write the time, so you'll have to investigate both types. Click on a line of one of these types, unfold the Bluetooth Attribute Protocol drop-down in the pane with details below, and unfold Opcode. Now right-click on Method: Write Request (0x12), and then choose Apply as Filter | Selected.

The number of shown packets now decreases dramatically (Figure 3), which makes it much easier to determine the command structure. Based on the date and time you wrote down earlier (Sunday, March 5, 2023 at 11:01), you want to look for numbers like 0 or 7 (for Sunday, as the day of the week), 3 (March), 5, 2023, or 23, 11, and 1.

Figure 3: Determine the meaning of the commands your phone sends to the BLE clock.

The first Write Request just enables notifications, which is probably needed to get the log of sensor measurements from the device. But the second packet, a Write Command, immediately looks like a winner with a value of a51703050b010707015a. The sequence 03050b01 immediately stands out here – it looks like March 5 at 11:01. The hexadecimal value 17 is also not too difficult to understand: 0x17 = 1 x 16 + 7 = 23; that's the year.

The two 07 values make decoding a bit difficult. One could be the day of the week, Sunday, but which one? You should create another Bluetooth log while using the app to figure this out. You'll see that every packet always starts with the value a5 and ends with 5a, so this looks like a header and footer. The 01 before the 5a also doesn't change, so this could be part of the footer, or maybe encode something else. Moreover the second 07 stays 07, so that looks like it encodes the day of the week, while the first 07 changes to something else. Maybe those are the seconds, which aren't shown on the clock's display.

Downloading the Mobile App

You have decoded enough now from the Bluetooth logs to be able to send the right commands to the clock to set its time, but there are still some questions. I'll decompile the Android app ThermoPro Sensor and try to figure out those last unknown bytes.

You first have to download the APK file for the Android app. If you're still connected through USB and have enabled the debug connection, you can get the package using adb. First list the paths of the available packages:

adb shell pm list packages -f

Then search for the app's name in the resulting list. Unfortunately, ThermoPro isn't listed in the output. A search on the Google Play website and a look at the URL of the app's web page shows that the package has the name com.ihunuo.ykr_hn_2005a_tlw66. So the following line in the package list is the app's package:

package:/data/app/~~9-mLh7bIZiKuB28ZkEI3Ew==/com.ihunuo.ykr_hn_2005a_tlw66-0iLaTUvHdWrAhZ51gxUzUQ==/base.apk=com.ihunuo.ykr_hn_2005a_tlw66

Now copy the APK file from the phone to your computer:

adb pull /data/app/~~9-mLh7bIZiKuB28ZkEI3Ew==/com.ihunuo.ykr_hn_2005a_tlw66-0iLaTUvHdWrAhZ51gxUzUQ==/base.apk

and use the path after package: and before the last = character. The result is now saved on your computer in base.apk.

If getting the APK file this way doesn't work, you can also download it from a third-party APK downloader site, such as APKPure [4].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Bluetooth LE

    Bluetooth Low Energy is ideal for networking battery-powered sensors. We show you how to use it on the Raspberry Pi.

  • Bluetooth Security

    Is your address book open to the world? Is your mobile phone calling Russia? Many users don’t know how easy it is for an attacker to target Bluetooth.

  • Bluetooth Hacks

    The user rules in Linux – if you know where you’re going. This month the trail leads deep into the Linux Bluetooth stack.

  • Adding a Bluetooth Speaker to Linux
  • Bluetooth Mobile Phones

    It is becoming increasingly common for new generation mobile phones to have an integrated Bluetooth interface. This article explores how to access your Bluetooth phone using Linux.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News