Sniffing, Reverse Engineering, and Coding the ESP32 Bluetooth LE Part 1 of 3
Вставка
- Опубліковано 10 вер 2024
- Learn to Sniff Bluetooth traffic, reverse engineer a custom protocol, and then code an embedded app on the ESP32 to leverage the protocol. Sniffing Bluetooth is not difficult and this 3 part series gets your started!
Part 1 covers the nRF52840 device and the installation of Wireshark, Python, and the Nordic nRF sniffer software on Windows 10.
Nordic Instructions: infocenter.nor...
Any action you take upon the information in my UA-cam videos or related schematics/stl/source code/additional content is strictly at your own risk and I will not be liable for losses, damages, or injuries in connection to the use of the videos or the recreation of the projects in the videos. I am NOT a professional Electrical Engineer, nor am I licensed as an EE.
Only discoverd this 2 years after t was posted, but what a GREAT tutoral series. All 3 videos are straight forward, simple to udestand, and he assumes NO PRIOR KNOWLEDGE. Excellent work; that is how you do a tutorial. Subscribed.
Thank you!
Stuart, thanks for the great info and the fantastic video!
Glad you enjoyed it
Man this is amazing! Share more of your knowledge please :)
I’m currently trying to reverse engineer some Japanese light switch controlled by bluetooth. Not sure I’ll be successful but I’m following your steps
I got lucky because the light was pretty easy once I looked at the data, but thank you for the kind words!
Good timing, I recently got the (original) nrf52840 dongle, got two of them for $10 each in a recent Digikey order, and had just tried the sniffer the day this video hit Hackaday. I'm keeping one with the stock bootloader for use with the sniffer or nrf connect desktop, the other received stackable headers and the Adafruit uf2 bootloader: somebody has a fork of the Adafruit nrf52 bsp and the platform io support files that add support for the dongle.
Which Digi-Key part did you order ?
@@Adam-ee9lmI went to look... It's the $10 one whose part number is literally NRF52840-DONGLE, apparently
Exactly what i was looking for. Thank you for sharing
Glad it was helpful!
I found two adapters to buy, one is like yours and the other is Holyiot nRF52840+PA with a non-removable antenna and magnetic suction reset.
Which one to take, because the PA version is +20dBm, while the one you have is I guess +8dBm, but the antenna can be removed and a stronger one installed?
I was also thinking about buying the Ubertooth One, but as far as I understand, you can do exactly the same thing with the nRF52840 dongle and save money, it's cheaper.
Sorry, man, I have only used the one from the video and to be honest that was a few years ago. I would not be surprised if there are better solution and/or even using your smart device. I do remember that the one in the video did have some software on it and I did not have to update it. Heck, I am sure there is an update by now!
Can you help me? I did everything exactly as in your instructions, but at the launch stage I do not receive packets, although I see devices and their signals in the list. what could be the problem?
but on my linux all is fine. very strange
Guessing, but it might be an issue with python on the windows machine. I would confirm it is in the system path and it launching properly. It has been a while since I used this technique so you might have to roll up your sleeves and debug the issue.
@@StuartPatterson I hope I can solve this problem, thanks for the advice!
Me too. If you do figure it out please post the solution back here in case some has a similar problem. The python add in is what you should be looking at, at least in my opinion.
@@StuartPatterson ok!
Thank you for the tutorial!
I followed your steps trying to reverse Tuya drawer lock but it din not work. I can connect for a while to the device via nRF Connect (for mobile and for desktop versions), i know devices’ name and adress, but it does not show in Wireshark. Even if I try to add the LE adress (according to NS’ infocenter) it does not help.
Any idea how I could sniff this communication between the Tuya’s app and the device?
Not sure, but I just ordered one from Temu. Once I get it I will play around and see if I can figure it out. No promises, but we might get lucky!
@@StuartPatterson that's great! I'd be grateful for any advice, even without such video tutorial!
Well, I have been playing around with the tuya smart drawer switch for a few hours now. It does use encryption as identified by LL_FEATURE_REQ (0x08) opcode sent and the returned LE Encryption bit being set. I looked at the encryption to see how complex it is and I was not able to decode it, however I know very little about encryption. I also tried to replay the unlock and it seems, and I could be wrong, but that each request required a new encrypted code. Sorry, I was hoping I would figure it out, but this one pretty well written, at least in my opinion.
@@StuartPatterson Thank you for your job! It seems I will have to use Tuya's libraries to use this lock.
Thanks for the series, it nicely introduces to BLE sniffing !
One question bothers me is that I suppose other devices may have communication encrypted somehow. It’d be cool if you say how one may identify if any given device uses encryption , and how to sniff such communication in this case
Thank you. Agreed. I need to looking into extending the series and cover sniffing encrypted data. I need to personally learn more about it before sharing.
Hey great video! But I am pretty new to bluetooth and i still have a question. I am trying to make a universal remote control (including 3 infrared remote controls and 2 bluetooth) with a esp32. The 2 bluetooth remotes are firestick TV and T-mobile box remote controls. And before i buy the nRF sniffer, i would like to know if it should be possible to read the communication of the firestick/t-mobile remote, or could it be, that the communication is somehow encrypted?
Sadly encryption is always a possibility. I would search online to see if anybody has decoded the fire stick remote.
Great video series! I just got my sniffer and wanted to try it out, but I don't get any ATT packages (only LE, mostly advertising and scans) with my sniffer though I am definetly sending gatt writes (since I a programmed the client myself) and the other devices is answering. (I can see my advertising packages) It's a connection without bonding.
Do I need to listen on some other channel or something?
Hmm, honestly not sure. It has been a long time since I’ve done much BLE stuff. Sorry.
@@StuartPatterson thanks for the quick response! Maybe I can find out myself
In case others have the same problem: I think the sniffer didnt get the "new connection" package (CONNECT_IND), which it uses to follow a connection. With a differenct device combination it works (which luckily was the device I wanted to sniff anyway).
@@mirkowaechter Thanks for sharing! As you stated, might help others in the future!
@@mirkowaechteri have the same problem. Only get advertisement, no att data. Use nrf connect to write to characteristics and read. Very annoying.
Can the Bluetooth Serial CDC profile be run as "Low-Energy"? For example, could I use transmit serial ascii data from a usb/bluetooth dongle (ex. HC-06, HM-10) and pick-it up using a BLE receiver (android), etc?
Not sure. Sorry.
BLE and Bluetooth Classic have almost nothing in common. There's no serial device protocol in BLE by default/standard, but Nordic did publish their own. Not sure if there are any of those little Bluetooth serial modules that speak it though.
@@rpavlik1 Thanks, are the BT4/5 chipsets in phones backwards compatible.. i.e. can they revert to Classic mode? I'd like to use a bt-classic-dongle and desktop app (flutter, electronjs, neutralinojs, tauri etc) to talk to an android.
I've been doing Bluetooth a long time but always at a company that supplied expensive sniffers. Tech has come a long way lol I am at the point I really need to get better at the filtering for this sniffer so I can quickly find my GATT Attributes and such. Any source for good filtering for this sniffer after connection?
Looks like you found it in video #2!
Thanks! Is the ubertooth anything special or does the nordic dongle do what you need for packet capture?
The Ubertooth looks very interesting but I do not have one to try.
@@StuartPatterson getting it to work is a pain. The dependencies are dated and hard to install. I was using a VM, so that could be part of it. I was able to retrieve the LAP.
hi, good video. Is it possible to use this method to decode an BLE Device that require a password ?
Most are using encryption, but if you see it in the clear text, you might have a shot at it.
Thanks for this great tutorial
I followed along and tried testing it on bluetooth classic but it seems like it only works for bluetooth LE
Is there a way to sniff Bluetooth classic
Thank you
Thanks! Unfortunately I have not done any work with Bluetooth Classic, so I can't really answer the question. Sorry.
WOW great video, thanks for sharing. I really can't find where to buy this dongle. Are they still selling it ? is this technique working with not low energy bluetooth devices (old bluetooth) ?
You should be able to find a Nordic nRF52840 for $10-$15 USD. You might have to install the firmware on the device. Mine came with it already installed. I have not worked with Bluetooth Classic so I can not say, sorry.
Hello very nicely prepared video, but I have a question please very important to me if you answer me thank you Is there anything I can give my laptop to extend the range of Bluetooth at least 100 meters to 200 meters? Is there any way I can transfer pictures? Please give me the name of anything. Thank you
Thanks you for the comment. I am not aware of any Bluetooth extenders or add on antenna, but they could exist. As for transfer binary data that should be possible but I don’t have an example. Good luck.
I subscribed!
Thank you!
Great video!
Would this work with the SparkFun Pro nRF52840 Mini?
Thanks for the kind words! I am not certain but I suspect it would, however I suggest you ask SparkFun to confirm. If you find it does work let me know and I will start a list of compatible devices in the video description.
Hello, I wanted to say that you are really creating awesome content. I have a question: Can ESP32 be turned into a BLE sniffer? If yes, can you share a link for guidance? Or maybe a video about it would be great. Because I don't find anything about it. Thank you and I wish you the best! 🙏
Thank you very much for the positive comment! I did a little research and found this GitHub project that might be the solution: github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer
It looks promising and I will add it to my list of topics to research and create a video on! Thanks again!
Great video Stuart. Quick question, would you have any pointers on how to sniff and track paired devices (RSSI), like a Garmin Smartwatch for presence detection for Home Automation?
I have a future project using an iTAG device where I want to use the RSSI for proximity detection, but I have not started it yet. When I finally get to it I do plan on creating video. However, I have not even had time to research it yet. Sorry.
@@StuartPatterson that would be wonderful! the main challenge I've noticed is that once the smartwatch is paired with the phone, it stops sending advertising packages, so other BLE devices cannot see the watch.
@@shufflethemovie Hmm, not sure how to get around that one.
can i use any bluetooth dongles?
or only nrf ones?
I have only used the nrf52480.
@@StuartPatterson thanks for replying :)
so I tried it with my bluetooth module... and it didn't work...... probably mine was not a sniffer type..
then i found out that android phones can do something similar by enabling a special option in developer mode, and so i tried that... it worked.. but it doesn't keep updating a file it makes that holds all that bluetooth sniff data...
have you ever tried that and got it to keep updating the file?
@@king_wing34 No, I need to get an Android tablet or something to play around with that setting. Currently using iOS stuff.
Can all of this be done on macOS as well?
Not sure.
Documentation says it can be done
Ok