Monday, January 22, 2018

Bluetooth 5.0 Review


Bluetooth 5 Key Features: 2X speed, 4x range and advertising extensions

Bluetooth Low Energy (BLE) is the fastest growing wireless protocol for short-range (<100 meters), low data-rate (<10 Mbps) applications. More than 3.5 billion Bluetooth devices will ship in 2017. Bluetooth is growing at least an order of magnitude faster than any of the other competing protocols like Zigbee, Z-wave, Thread, AllJoyn, IoTivity, ANT, WirelessHART, DigiMesh, EnOcean and others. This explosive growth is attributed to two factors:

  • Apple’s choice to include Bluetooth radio in its iPhone and iPad product segments.
  • Bluetooth Special Interest Group(SIG) has aggressively updated the BLE specifications to match the evolving needs of this huge market.

The result is Bluetooth radios are ubiquitous in consumer electronics segment. The numbers below are from Bluetooth SIG website:
Bluetooth 5 Key Features

Are wireless protocol wars over?

Last few years has witnessed an intense battle between short-range ISM band wireless protocols. There are many good online comparisons of the technical merits of each protocol. No protocol is perfect and there is no requirement that all applications use the same protocol. Many legacy applications will continue to use their existing protocols as the cost of retrofit is too high.

For many applications, the small differences and advantages in the technical features of their favorite protocol will not be sufficient to overcome the business, cost and interoperability advantages of the “popular” protocol. In terms of popularity, Bluetooth is the clear winner, and this is one area where network effect will accelerate its dominance. The newly released version 5 of the Bluetooth specification is designed to cement the leadership position of this protocol. This post summarizes some of the key highlights from the 2800 page Bluetooth 5 core specification published by the Bluetooth SIG.

New features of Bluetooth 5.0

The most important features are:

  • speed increase
  • range increase
  • New advertising modes

Speed increase - The new 2 Mbps option

The bottom layer of the Bluetooth stack is called the physical layer or the PHY. Bluetooth 4.x specification called out the 1 Mbps PHY. The 5.0 version adds the 2 Mbs (LE 2M) option. To use this new capability, the both radios in the link must support the 2Mbps rate. Together, with Data Length Extension (DLE) feature that was announced in Bluetooth 4.2, the new PHY will increase the speed and the amount of data that can be transferred over a BLE 5.0 link. For devices that do not require higher data rates, the 2Mbps link will offer an advantage in terms of power consumption, as these devices will require half the time complete a wireless transaction. There is also an additional benefit where packing the data at 2Mbs will increase the network capacity as all devices have to share the same wireless medium. This new mode will enable applications like medical ECG, voice-remotes, still-image transfer, power-efficient beacons, etc.

Range increase - The new coded PHY option

In addition to standard 1Mbps and 2Mbps options, Bluetooth 5.0 offers the 500 Kbps and 125 kbps options, also called the coded-rates. Both the coded-rates use the underlying 1 Mbps PHY. In case of the 500 kbps options, two bits of 1 Mbps stream is used encode 1 bit of 500 kps data. In case of 125 kbps, 8 bits of 1 Mbps stream is used to encode 1 bit of 125 kbps data. This encoding scheme uses Forward Error Correction (FEC) technique to create a wireless signal with higher Signal-to-Noise Ratio (SNR). In case of 500 kbps stream, the range is doubled and for 125 kbps, the range is quadrupled. In both the case, the increased range is achieved without increasing the radio transmitter power. With this new range options, Bluetooth LE provides credible options for enterprise and industrial IoT deployments. The capability to switch between fast connections and long range will protect investment in the Bluetooth technology stack. It is important to note that it is not possible to obtain the higher 2x speed and 4x range simultaneously.

New advertisement modes - advertisement extensions

Bluetooth LE connectionless mode is very popular with applications like beacons and sensors. The connectionless mode uses Bluetooth advertisement channels to broadcast data to any Bluetooth radios that are in the scanning mode. With BLE 4.x, all the advertisements are transmitted on 3 channels (out of 40 total channels). The new advertisement extensions expand these capabilities significantly:

  • Increased channel capacity: To increase payload capacity without clogging the advisement channels, BLE 5.0 can start advertisements in the standard channels and complete the data transfer on an agreed upon non-advertising channel.
  • Increased payload size: Up to 255 bytes of data can transferred in non-advertising channel.
  • Payload chaining: Advertising packets can be chained together to create large beacon payloads. A chain can hold a maximum of 1650 bytes.
  • Periodic advertisements: Advertising packets can be sent periodically, allowing observers to lock on to a stream of advertised packets.

Impact of Bluetooth 5.0 specification

Bluetooth 5.0 is a major update to the wireless standard. Many Bluetooth applications that were operating on the feasibility edge (in terms of range or data throughput) are now fully supported. Previously, some applications used a Bluetooth radio to support short-range communication and a sub-1-Ghz radio for long distance communication link. With BLE 5.0, communications links is dramatically simplified by using a single technology stack

The current Bluetooth mesh technology is based on broadcast capabilities provided by the BLE 4.x standard. With the new advertisement extensions, it is expected the BLE mesh will also be revised to exploit the new capabilities. BLE 5.0 will enable further penetration in home and building automation, industrial IoT and in healthcare applications. The latest generation smartphones are starting to support the new Bluetooth 5.0 features. It will take a few years for this change to occur. For many applications, using a Bluetooth edge gateway will be the fastest route to harness the full power of the Bluetooth 5.0 specification.

Tuesday, January 16, 2018

My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE

 Hello Security and Maker enthusiastic, After my first blog on how I reversed the Bluetooth smart massage. I have been busy with other pen-tests. Finally I am free and I am going to write about my recent reverse engineering experience a smart band. Smart band has been a important fashion statement for people which helps people in measuring their heart rate or tracking their steps or find calorie they have burnt and obviously to finally look at your hand for time and not the smartphone.

So the smart band which I have got is a Chinese manufacturer, but they are not dead cheap. I got this one for around 25$(2 weeks of waiting) which is almost close to 30$ Mi Band 2. I got the device from banggood, which is something I trust if I want to buy something which is not available in my country.

You can buy this smart band at here

So let’s talk about the features of the device before i talk about reverse engineering it.

I would like to get help from it’s marketing posters to understand the features of the smart device.

Ahh! They didn’t mention anything about the ability to see the time.

Now let’s look into the hardware specification which they have mentioned in their marketing posture.

Technical Specifications

Nordic uhh?? I guess it will be the classic NRF51xx or if i am lucky it will be NRF52xx and MC3413-P is a 3-Axis Accelerometer from mCubemems.

If you notice carefully at the Outdoor feature, it clearly says that the sensor like weather, altitude or UV sensor is being sent from the smart phone via Bluetooth and not from the on-board sensor. Nice idea. They have a HRM(Heart rate) which works on Photoplethysmogram(biomedical words)

It has a 130mah battery. It works solidly for a week. Power management is amazing which I really liked in this smart band compared to my pebble which works for 3-4 days.

Now let’s talk about the device functionality.

Yes. the first part is all about how the device actually pairs to the phone. The answer is YES. There is no pairing method, it just connects. So it means anyone with the app or a Bluetooth stick can sniff or read and write to the device.

Now let’s look at the app functionality.

  1. App lets you pair with the device(without any security).

2. App lets you send phone notification to the watch.

3. App can track the band and create a gentle vibration

4. App can synchronise the time and other weather information

5. App can retrieve weather information from the internet and send it to the watch

6. App can read heart rate and other medical parameter like SpO2 and mmHg.

These are the basic operations that the app can do. Few other features like setting timer to read heart rate and other. I would like to keep it simple and reverse these operation in the devices and control the device.

If you want to understand the basics of Bluetooth , using GATTool and using GATTacker i would suggest you view Github repo or my previous post

Now let’s use GATTool and read what are the type of service and characteristics is running in the watch.

We got the Bluetooth address

lescan output

After waiting I found out that the GATTool wasn’t able to connect to the device.

gattool output

After having a long conversation with the @slawekja . I came to realise that I need to use random addressing in the GATTool which changes the parameter of the BD address so the watch can understand that it is connecting to a phone and not a computer.

YaaaY!! It is now connected. Now let’s see all the characteristics and services that is being run in the devices.

Now we know there are lot of non Bluetooth SIG services that is being run in the device.

Now we need to identify how and when the data is being transmitted to the device and vice versa.

Now start the GATTacker in advertisement mode and analyse the data sets.

Now initialise the app and connect to the Watch.

Once i have connected the watch to the device I could see a large number of data is being transmitted and the watch synchronizes all the data whenever a device gets paired.

First step is to find which handle the data is being written. The app is sending a Write request to “c3e6fea1e96610008000be99c223df6a” which has a handle “0x0011” as shown in the GATTool and the device sends back confirmation by using a Notification handle which is “c3e6fea2e96610008000be99c223df6a”

Data Format:

Now let’s look at few chunk of data

Initial datasets

Now I started replaying these commands back to see how it affect. To my luck the data inside the device got synchronised with these data.but now the question is what are the data? and where are these data being present?

I started doing trial and error on these by manipulating individual byte and see the different.

Let’s group the data into 1 byte for better understanding of the packet.

First two data sets

Let’s take the second packet and analyse.

ba 20 → Looks same in all packets It should be a header.

00 → Looks like some sort of data separator or padding.

0c →This is the data length.

00 → IDC

1e → I am just guessing it is a CRC. Happy to get any feedback

00 →IDC

01 → It looks like a Packet counter.

02 → It could be the type of data that it is sending.

00 → IDC

07 → The data begins

* IDC → I dont care

Clock Data:

Since it is a smart band let’s first reverse the clock data .

To analyse the data. I started sending one data set at a time and started checked if that is changing the time.

Voila! The second dataset actually controls the time that is being displayed in the band.

Now i started manipulating individual bytes to understand the data format

“ba20-000c-001e-0001-0200-2000-07-11-0c-06-16-29-16 01”

ba20 →Header

000c →Data size

001e →CRC

0001 →Packet counter

0200 →Data Header

2000 →Data header

07 →IDC

11 →Year

0c →Month

06 →date

16 →Hour

29 →Minute

16 →Seconds

01 →IDC

The script i used to send random data to the time parameter can be found in the Github repo.

Camera and Find Data:

Now the Find band and Camera mode is obviously easy. Just capture and replay. It doesn’t have much functionality to play around.

“ba20-0006-00ec-006b-0400-46000101" → Camera

“ba20-0005-0040-0068-0500-500000” → Find

Weather Data:

Now let’s go forward and reverse the weather parameter.

By analysing the 6th dataset.


ba20 →Header

000b →Packet size

004c →CRC

0005 →Packet counter

0300 →Data header

3000 →Data header

06 →IDC

13 →High temperature

1c →Low Temperature

02 →Weather mode

15 →IDC

1d →IDC

02 →IDC

The script to randomise this parameter can be found in the Github repo.

Outdoor Data:

Now if you remember, we talked about few features that the device has which is being synchronized by the app and not a sensor in the band.


ba20 →Header

000a →Packet length

0008 →CRC

0000 →Packet counter

0e00 →Data header

e100 →Data header

05 →IDC

03 →UV level

F4 →Pressure second byte

03 →Pressure first byte

7a →Altitude second byte

00 →Altitude first byte

The script to randomise these parameter can be found in the Github repo.

Notification data:

Now comes my favourite part. We can send notification to the band like call or msg or other notification.

Now let’s understand the data.

Whenever my phone send a notification a huge chunk of data is being transmitted. Yes. Everything is in plain text.










ba20 →Header

008e →Packet length

00c0 →CRC

0000 →Packet counter

0600 →Data Header

6000 →Data Header

89 →When i modify it, i can increment the length of the data that is being printed.

01 →Type of notification

Fffe** —> Data starts and has 00 in between each byte.

Which performing a sort of fuzzing in the Type of notification i get to see lot of digits and symbols which is inside the flash memory. Maybe like bufferoverflow.

This makes me wonder, If someone can intercept any confidential information from the phone like OTP or password and other information.

Reading Heart Rate:

I think it is enough talking about how to write data to the data. Now let’s talk about reading data from the device like reading HRM or Blood oxygen and displaying it.

Sniff the communication when hrm is enabled and you see that the notifucation handle sends the hrm. Similar for other levels.

Lets analyse the data again.

Since it is just one parameter, i can just look at the data and identify the value


ba300006002400000a00ab0001 →IDC

4d →Heart rate

Now use this script found in the Github repo to subscribe to the handle and read the notifications and decode it.

Now you can try the same for Sp02 and mmHg and read it similarly.

Something weird i noticed when it comes to Firmware update. It uses a Nordic SoftDevice OTA to flash it. Write 0x42 in 0x0011 handle and the device goes into OTA mode and user can flash any firmware package. Literally and it is mentioned in one their seller’s site.

In this process, I felt like i should create a tool where people can fuzz individual bytes and monitor changes. It is very minimalist. You can check it out here.

I think I have done my part of the research in reverse engineering the smartband. I haven’t done much on the android app, just basic ones.

Few hardware internal pics to make you curious.

Inside the hood
SQI Test pads
UART pads
SWD pads
nrf51822 SoC
Some flash

I really like this smart band. I don’t want to open it. :( anyway I will do a another blog on it’s hardware components and how to assess the hardware security of this device.

Please feel free to contribute/collaborate and exploit it furthermore.