Tuesday, January 16, 2018

My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE

 Hello Security and Maker enthusiastic, After my first blog on how I reversed the Bluetooth smart massage. I have been busy with other pen-tests. Finally I am free and I am going to write about my recent reverse engineering experience a smart band. Smart band has been a important fashion statement for people which helps people in measuring their heart rate or tracking their steps or find calorie they have burnt and obviously to finally look at your hand for time and not the smartphone.

So the smart band which I have got is a Chinese manufacturer, but they are not dead cheap. I got this one for around 25$(2 weeks of waiting) which is almost close to 30$ Mi Band 2. I got the device from banggood, which is something I trust if I want to buy something which is not available in my country.

You can buy this smart band at here

So let’s talk about the features of the device before i talk about reverse engineering it.

I would like to get help from it’s marketing posters to understand the features of the smart device.

Ahh! They didn’t mention anything about the ability to see the time.

Now let’s look into the hardware specification which they have mentioned in their marketing posture.

Technical Specifications

Nordic uhh?? I guess it will be the classic NRF51xx or if i am lucky it will be NRF52xx and MC3413-P is a 3-Axis Accelerometer from mCubemems.

If you notice carefully at the Outdoor feature, it clearly says that the sensor like weather, altitude or UV sensor is being sent from the smart phone via Bluetooth and not from the on-board sensor. Nice idea. They have a HRM(Heart rate) which works on Photoplethysmogram(biomedical words)

It has a 130mah battery. It works solidly for a week. Power management is amazing which I really liked in this smart band compared to my pebble which works for 3-4 days.

Now let’s talk about the device functionality.

Yes. the first part is all about how the device actually pairs to the phone. The answer is YES. There is no pairing method, it just connects. So it means anyone with the app or a Bluetooth stick can sniff or read and write to the device.

Now let’s look at the app functionality.

  1. App lets you pair with the device(without any security).

2. App lets you send phone notification to the watch.

3. App can track the band and create a gentle vibration

4. App can synchronise the time and other weather information

5. App can retrieve weather information from the internet and send it to the watch

6. App can read heart rate and other medical parameter like SpO2 and mmHg.

These are the basic operations that the app can do. Few other features like setting timer to read heart rate and other. I would like to keep it simple and reverse these operation in the devices and control the device.

If you want to understand the basics of Bluetooth , using GATTool and using GATTacker i would suggest you view Github repo or my previous post

Now let’s use GATTool and read what are the type of service and characteristics is running in the watch.

We got the Bluetooth address

lescan output

After waiting I found out that the GATTool wasn’t able to connect to the device.

gattool output

After having a long conversation with the @slawekja . I came to realise that I need to use random addressing in the GATTool which changes the parameter of the BD address so the watch can understand that it is connecting to a phone and not a computer.

YaaaY!! It is now connected. Now let’s see all the characteristics and services that is being run in the devices.

Now we know there are lot of non Bluetooth SIG services that is being run in the device.

Now we need to identify how and when the data is being transmitted to the device and vice versa.

Now start the GATTacker in advertisement mode and analyse the data sets.

Now initialise the app and connect to the Watch.

Once i have connected the watch to the device I could see a large number of data is being transmitted and the watch synchronizes all the data whenever a device gets paired.

First step is to find which handle the data is being written. The app is sending a Write request to “c3e6fea1e96610008000be99c223df6a” which has a handle “0x0011” as shown in the GATTool and the device sends back confirmation by using a Notification handle which is “c3e6fea2e96610008000be99c223df6a”

Data Format:

Now let’s look at few chunk of data

Initial datasets

Now I started replaying these commands back to see how it affect. To my luck the data inside the device got synchronised with these data.but now the question is what are the data? and where are these data being present?

I started doing trial and error on these by manipulating individual byte and see the different.

Let’s group the data into 1 byte for better understanding of the packet.

First two data sets

Let’s take the second packet and analyse.

ba 20 → Looks same in all packets It should be a header.

00 → Looks like some sort of data separator or padding.

0c →This is the data length.

00 → IDC

1e → I am just guessing it is a CRC. Happy to get any feedback

00 →IDC

01 → It looks like a Packet counter.

02 → It could be the type of data that it is sending.

00 → IDC

07 → The data begins

* IDC → I dont care

Clock Data:

Since it is a smart band let’s first reverse the clock data .

To analyse the data. I started sending one data set at a time and started checked if that is changing the time.

Voila! The second dataset actually controls the time that is being displayed in the band.

Now i started manipulating individual bytes to understand the data format

“ba20-000c-001e-0001-0200-2000-07-11-0c-06-16-29-16 01”

ba20 →Header

000c →Data size

001e →CRC

0001 →Packet counter

0200 →Data Header

2000 →Data header

07 →IDC

11 →Year

0c →Month

06 →date

16 →Hour

29 →Minute

16 →Seconds

01 →IDC

The script i used to send random data to the time parameter can be found in the Github repo.

Camera and Find Data:

Now the Find band and Camera mode is obviously easy. Just capture and replay. It doesn’t have much functionality to play around.

“ba20-0006-00ec-006b-0400-46000101" → Camera

“ba20-0005-0040-0068-0500-500000” → Find

Weather Data:

Now let’s go forward and reverse the weather parameter.

By analysing the 6th dataset.

“ba20-000b-004c-0005-0300-300006131c02151d02”

ba20 →Header

000b →Packet size

004c →CRC

0005 →Packet counter

0300 →Data header

3000 →Data header

06 →IDC

13 →High temperature

1c →Low Temperature

02 →Weather mode

15 →IDC

1d →IDC

02 →IDC

The script to randomise this parameter can be found in the Github repo.

Outdoor Data:

Now if you remember, we talked about few features that the device has which is being synchronized by the app and not a sensor in the band.

“ba20-000a-0008-0000-0e00-e100-0503f4037a0”

ba20 →Header

000a →Packet length

0008 →CRC

0000 →Packet counter

0e00 →Data header

e100 →Data header

05 →IDC

03 →UV level

F4 →Pressure second byte

03 →Pressure first byte

7a →Altitude second byte

00 →Altitude first byte

The script to randomise these parameter can be found in the Github repo.

Notification data:

Now comes my favourite part. We can send notification to the band like call or msg or other notification.

Now let’s understand the data.

Whenever my phone send a notification a huge chunk of data is being transmitted. Yes. Everything is in plain text.

ba20008e00c00000060060008901fffe57006100

6c006c006500740020002d002000470065007400

20006500780063006c0075007300690076006500

2000620065006e00650066006900740073002000

620079002000700072006f007600690064006900

6e0067002000640065007400610069006c007300

20006200650066006f0072006500200033003100

200044002e002e002e00

Decoded:

ba20 →Header

008e →Packet length

00c0 →CRC

0000 →Packet counter

0600 →Data Header

6000 →Data Header

89 →When i modify it, i can increment the length of the data that is being printed.

01 →Type of notification

Fffe** —> Data starts and has 00 in between each byte.

Which performing a sort of fuzzing in the Type of notification i get to see lot of digits and symbols which is inside the flash memory. Maybe like bufferoverflow.

This makes me wonder, If someone can intercept any confidential information from the phone like OTP or password and other information.

Reading Heart Rate:

I think it is enough talking about how to write data to the data. Now let’s talk about reading data from the device like reading HRM or Blood oxygen and displaying it.

Sniff the communication when hrm is enabled and you see that the notifucation handle sends the hrm. Similar for other levels.

Lets analyse the data again.

Since it is just one parameter, i can just look at the data and identify the value

“ba300006002400000a00ab00014d"

ba300006002400000a00ab0001 →IDC

4d →Heart rate

Now use this script found in the Github repo to subscribe to the handle and read the notifications and decode it.

Now you can try the same for Sp02 and mmHg and read it similarly.

Something weird i noticed when it comes to Firmware update. It uses a Nordic SoftDevice OTA to flash it. Write 0x42 in 0x0011 handle and the device goes into OTA mode and user can flash any firmware package. Literally and it is mentioned in one their seller’s site.

In this process, I felt like i should create a tool where people can fuzz individual bytes and monitor changes. It is very minimalist. You can check it out here.

I think I have done my part of the research in reverse engineering the smartband. I haven’t done much on the android app, just basic ones.

Few hardware internal pics to make you curious.

Inside the hood
SQI Test pads
UART pads
SWD pads
nrf51822 SoC
Some flash

I really like this smart band. I don’t want to open it. :( anyway I will do a another blog on it’s hardware components and how to assess the hardware security of this device.

Please feel free to contribute/collaborate and exploit it furthermore.


No comments:

Post a Comment