Continue to Site

Welcome to our site!

Electro Tech is an online community (with over 170,000 members) who enjoy talking about and building electronic circuits, projects and gadgets. To participate you need to register. Registration is free. Click here to register now.

  • Welcome to our site! Electro Tech is an online community (with over 170,000 members) who enjoy talking about and building electronic circuits, projects and gadgets. To participate you need to register. Registration is free. Click here to register now.

ble & encryption tutorial pls

Status
Not open for further replies.

Dr_Doggy

Well-Known Member
first i should say that just trying to find the command string to my ble device is hard enough .. there may be a layer of encryption around it too!? This is just for a ble lightbulb & works with my phone through its software, id be happy if i can control it externally from arduino(since i cant get ble sdk for win7)
So first I have successfully scanned and found the device(device #1 ) with a generic scanner which shows a device mac address and a string as in img1, called the raw data but what is all this and is it encrypted?
Next I click the connect button, and it pulls up all these table such as a device info table which has things like firmware string uuid, manufacture string uuid, model string uuid, revision string uuid .... next is generic access string with device name uuid and appearance uuid.... all, naturally, read only. Next is the custom service table, a little more interesting where there are 3 tables all named custom characteristics and are all also read write, but also the third one is notify too.

1) So I am hopeing someone can shed light on how strings are assembled and what is involved for 2way communications, like are they single packet sends, is there generic length and is it like send xxxx, listen for ack.. done or send1 ack, send2 ack, send3 ack.?

Screenshot_2020-11-15_082330.jpgScreenshot_2020-11-15_083422.jpg

2) Also thinking about it i wonder if i need to worry about things like the PAN id & frequency channels and other similar things i found in xbee?


3) It is also strange when i scan my google home mini's the kitchen speaker shows up with the proper name but the livingroom does not. And there are other devices in the home including those two that do not allow me to connect at all, although i still get mac address from them? It is strange since anyone can cast here, even unregistered users.


4) So about encryption , i have been reading about the types and just a few questions,
i) i understand a cypher, where my string is 1234567 and key is 123, so i add 1234567 +1231231 .. but what happens in the event where 0xFE + 0x02

ii) Symmetric encryption seems the same as cypher , is there a difference?

iii) public key encryption is over my head, i dont get how the key gets to the user safely, or how 2 keys can produce the same output value, any chance of a algorithm example code floating around? And also if algorithms are different how does every PC have it for web browsing?


thanks in advanced!
 
I don't think it is encrypted, as much as just being a binary / ascii mixed protocol.
The second and 5th lines contain what appear to be ASCII characters, represented in hex as all the data is in that image.

The second could be the maker?
The fragment in the 5th does not make any sense, it could just be chance numbers - or an access key or password of some sort:

46 75 6C 69 66 65
Fulife

6D 46 70 6C 77 32 71 41
mFplw2qA
 
so i found 2 websites where they were able to get control of similar devices, however their strings were simply where there were a few bytes in the string where it passed the rgb value direct.


I went through the motions but it seems my packets are a little more complex, here are 2 captures where i flashed the light green off about 4x each time.
it seems bytes 1-12 are packet info , byte 13 is a counter of sort, 14 & 15 the same but different between the 2 connections.
16-32 complete jarble


0000 02 40 00 1b 00 17 00 04 00 52 15 00 86 8c 0b ea c8 72 0c 4d 2c af a6 3c a5 48 bc b5 27 90 0c be .r.M,..<.H..'...
0000 02 40 00 1b 00 17 00 04 00 52 15 00 85 8c 0b 0f 8b d1 70 d9 4a 41 d0 0f 7a fa 85 d0 5b 48 27 05 ..p.JA..z...[H'.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 84 8c 0b 6a ca 78 d0 10 09 1b 35 2a a5 52 e6 3b 6e 1a eb ef .x....5*.R.;n...
0000 02 40 00 1b 00 17 00 04 00 52 15 00 83 8c 0b d8 df 55 cd fe 00 7d 05 d2 08 7b cf 07 d7 06 5a 5e .U...}...{....Z^
0000 02 40 00 1b 00 17 00 04 00 52 15 00 82 8c 0b 27 0c b0 7f 26 cb fb df 36 2b 91 cc c4 69 79 de 94 ...&...6+...iy..
0000 02 40 00 1b 00 17 00 04 00 52 15 00 81 8c 0b 2f 7f 27 92 21 aa 12 10 65 a5 4d 61 dc 2d 2a 4a 73 .'.!...e.Ma.-*Js
0000 02 40 00 1b 00 17 00 04 00 52 15 00 80 8c 0b 85 13 4f 92 4a fd ad e5 6a de df a9 f1 cf 53 4f 5e .O.J...j.....SO^
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7f 8c 0b d1 4f 22 20 06 dc aa 7d 13 54 9e 3c 03 d3 b2 3a 44 O" ...}.T.<...:D
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7e 8c 0b d4 94 56 be 47 f1 56 d6 b4 81 bb 9f d9 7b 63 50 3e .V.G.V......{cP>
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7d 8c 0b d3 7e ac 7b 85 ef ca e3 c8 ec 43 49 7e bd ca 61 d9 ~.{......CI~..a.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7c 8c 0b 2d 1f 99 a0 80 58 3f 47 f2 68 80 5b 77 da ef 30 d1 ....X?G.h.[w..0.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7b 8c 0b ca b5 49 6e b7 89 88 3a 61 d6 1d 8d 0a 05 26 c5 ec .In...:a.....&..
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7a 8c 0b 4a 27 0a 6e a8 26 c6 e6 2f 3e 4b 43 70 ed f1 b7 d1 '.n.&../>KCp....
0000 02 40 00 1b 00 17 00 04 00 52 15 00 79 8c 0b 00 5a a7 30 ff f4 16 81 5d 3b a5 51 6b f3 a3 75 83 Z.0....];.Qk..u.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 78 8c 0b e8 d7 47 37 e9 96 3e fd cd 48 c3 36 ab ad 46 42 6f .G7..>..H.6..FBo

0000 02 40 00 1b 00 17 00 04 00 52 15 00 7f 07 43 e1 8b 3c c7 b6 6a b3 83 23 67 ae 6c c9 c7 56 5a c7 .<..j..#g.l..VZ.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7e 07 43 09 ad 4c 88 78 1e 44 a9 40 7b 47 a6 aa d1 0d 4f 8b .L.x.D.@{G....O.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7d 07 43 b3 25 71 24 43 ed c7 61 67 82 b6 10 d8 e8 39 fc 73 %q$C..ag.....9.s
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7c 07 43 de 67 85 91 a9 9a ca 49 48 3f e0 44 a4 73 d8 95 c4 g.....IH?.D.s...
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7b 07 43 47 48 32 07 38 de ad e0 a0 66 04 5f cc 6b f2 d0 5c H2.8....f._.k..\
0000 02 40 00 1b 00 17 00 04 00 52 15 00 7a 07 43 06 b3 0b 22 13 7c ee f7 5b 01 0b 61 f2 31 e4 1c 05 ..".|..[..a.1...
0000 02 40 00 1b 00 17 00 04 00 52 15 00 79 07 43 49 c7 d4 b5 8a 3a 91 f5 dc 25 63 7a af 08 01 38 88 ....:...%cz...8.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 78 07 43 ae c7 08 68 8e d4 e0 0c c2 1d 57 7f d9 c8 c0 27 ed ..h......W....'.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 77 07 43 3d 51 99 8c 2f 1e 2d 9e 00 70 82 9d bf 74 dd ab 23 Q../.-..p...t..#
0000 02 40 00 1b 00 17 00 04 00 52 15 00 76 07 43 7f ef eb 0c 59 73 12 0c 5a d1 9c fa a2 ff 4f 2d 4f ...Ys..Z.....O-O
0000 02 40 00 1b 00 17 00 04 00 52 15 00 75 07 43 ec 9f 55 58 60 e1 d2 ef 69 19 a6 88 62 8a a1 59 ba .UX`...i...b..Y.
0000 02 40 00 1b 00 17 00 04 00 52 15 00 74 07 43 06 b7 36 71 fb 3d 27 d2 bd bf 44 91 9a 8d c9 b2 3e .6q.='...D.....>

I am tempted to roll it against the mFplw2qA key, but how would i do that? , even though it prolly wont work anyway


any ideas where to go from here??
 
in addition i have narrowed it down to these 2 packets by using a 20second delay after powering on BT, one being a off instruction , and one is on & green


0000 02 40 00 1b 00 17 00 04 00 52 15 00 65 a8 82 83 69 fc f6 1b 4e aa 4e 9c 31 71 ed 7a 18 5b f9 d6 i...N.N.1q.z.[..
0000 02 40 00 1b 00 17 00 04 00 52 15 00 66 a8 82 9e 49 39 03 3d 2f b6 cf cd 39 f3 bf 7a 0d 14 5f b0 I9.=/...9..z.._.


from the most recent new log:
 

Attachments

  • btsnoop_hci987.zip
    4.3 KB · Views: 161
breaking down the packets even more i have narrowed it down to this:
Payload: 521500c8541006d232a151a7d45e37f085fbc4780768c2

bytes 1-3 = 0x521500 = device id, always the same
bytes 4-6 = 0xc85410 = time stamp, increments per instruction, running tests to compare relation to real time

Leaving the following 17 bytes yet to be resolved:
06 d2 32 a1 51 a7 d4 5e 37 f0 85 fb c4 78 07 68 c2

the instruction contains the red command, so one assumption i can make is that a string in there will be FF0000 or 00FF00 or 0000FF.

any hints or ideas as to what i can try next?
 
Status
Not open for further replies.

Latest threads

New Articles From Microcontroller Tips

Back
Top