Mipow Playbulb: Bluetooth Connection Sniffing
Summary
This documentation explains the basics of Bluetooth hacking perfomed on the MiPow Playbulb Candle with the GATT Tool
Requirements
- Bluetooth adapter which can use BLUETOOTH Low Energy (BTLE)
- A computer running a Linux distribution e.g. raspberry pi 3
Description
Fundamentals steps
Ensure that the Bluetooth sender is running.
sudo service bluetooth status
If the output shows (dead) use the following command.
sudo service bluetooth restart
Check if the hcitool finds your Bluetooth sender
hcitool dev hciconfig -a
Retrieve the Bluetooth Address of the victim device
Depending on the Bluetooth Technology (BR/EDR or LE) the device use there are two commands to scan the Bluetooth addresses.
hcitool scan hcitool lescan
The BLE Scan outputs the Address of the The MiPow Playbulb Candle as follows:
hcitool lescan DC:48:4B:0F:AC:E6 (unknown) DC:48:4B:0F:AC:E6 PLAYBULB
Connect to the victim device and reading its characteristics
Starting the GATT Tool in Interacive mode and connect to the retrieved Bluetooth Address
sudo gatttool -I hci1 -b DC:48:4B:0F:AC:E6 connect
“hci1” is the Bluetooth sender name and can differ on your device
Reading the Characteristic which the victim devices have.
characteristics
[1] handle: 0x0002, char properties: 0x0a, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb [2] handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb [3] handle: 0x0006, char properties: 0x02, char value handle: 0x0007, uuid: 00002a04-0000-1000-8000-00805f9b34fb [4] handle: 0x0009, char properties: 0x22, char value handle: 0x000a, uuid: 00002a05-0000-1000-8000-00805f9b34fb [5] handle: 0x000d, char properties: 0x10, char value handle: 0x000e, uuid: 00002a37-0000-1000-8000-00805f9b34fb [6] handle: 0x0010, char properties: 0x02, char value handle: 0x0011, uuid: 0000fff8-0000-1000-8000-00805f9b34fb [7] handle: 0x0012, char properties: 0x0a, char value handle: 0x0013, uuid: 0000fff9-0000-1000-8000-00805f9b34fb [8] handle: 0x0014, char properties: 0x06, char value handle: 0x0015, uuid: 0000fffa-0000-1000-8000-00805f9b34fb [9] handle: 0x0016, char properties: 0x06, char value handle: 0x0017, uuid: 0000fffb-0000-1000-8000-00805f9b34fb [10] handle: 0x0018, char properties: 0x06, char value handle: 0x0019, uuid: 0000fffc-0000-1000-8000-00805f9b34fb [11] handle: 0x001a, char properties: 0x0a, char value handle: 0x001b, uuid: 0000fffd-0000-1000-8000-00805f9b34fb [12] handle: 0x001c, char properties: 0x0a, char value handle: 0x001d, uuid: 0000fffe-0000-1000-8000-00805f9b34fb [13] handle: 0x001e, char properties: 0x0a, char value handle: 0x001f, uuid: 0000ffff-0000-1000-8000-00805f9b34fb [14] handle: 0x0021, char properties: 0x12, char value handle: 0x0022, uuid: 00002a19-0000-1000-8000-00805f9b34fb [15] handle: 0x0025, char properties: 0x02, char value handle: 0x0026, uuid: 00002a25-0000-1000-8000-00805f9b34fb [16] handle: 0x0027, char properties: 0x02, char value handle: 0x0028, uuid: 00002a27-0000-1000-8000-00805f9b34fb [17] handle: 0x0029, char properties: 0x02, char value handle: 0x002a, uuid: 00002a26-0000-1000-8000-00805f9b34fb [18] handle: 0x002b, char properties: 0x02, char value handle: 0x002c, uuid: 00002a28-0000-1000-8000-00805f9b34fb [19] handle: 0x002d, char properties: 0x02, char value handle: 0x002e, uuid: 00002a29-0000-1000-8000-00805f9b34fb [20] handle: 0x002f, char properties: 0x02, char value handle: 0x0030, uuid: 00002a50-0000-1000-8000-00805f9b34fb [21] handle: 0x0032, char properties: 0x0a, char value handle: 0x0033, uuid: 00001013-d102-11e1-9b23-00025b00a5a5 [22] handle: 0x0034, char properties: 0x08, char value handle: 0x0035, uuid: 00001018-d102-11e1-9b23-00025b00a5a5 [23] handle: 0x0036, char properties: 0x12, char value handle: 0x0037, uuid: 00001014-d102-11e1-9b23-00025b00a5a5 [24] handle: 0x0039, char properties: 0x02, char value handle: 0x003a, uuid: 00001011-d102-11e1-9b23-00025b00a5a5
Analyzing the Characteristics
The MiPow Playbulb Candle uses many Characteristics which are defined by the Bluetooth Standard:
The Properties must be read as the following chart shows:
[1] Read and Write the Device Name
Read the device name:
char-read-hnd 3 Characteristic value/descriptor: 50 4c 41 59 42 55 4c 42
Convert Hex to ASCII:
50 4c 41 59 42 55 4c 42 -> PLAYBULB
Rename the Device:
char-write-req 3 4861636B65640A Characteristic value was written successfully char-read-hnd 3 Characteristic value/descriptor: 48 61 63 6b 65 64 0a
[2] Read the Device Appearance
char-read-hnd 5 Characteristic value/descriptor: 40 03
0x4003 is not in the standard appearances defined
[3] Read the Peripheral Preferred Connection Parameters
char-read-hnd 7 Characteristic value/descriptor: 10 00 20 00 00 00 58 02
[14] Read the Battery Level
char-read-hnd 22 Characteristic value/descriptor: 64
Convert Hex to Dez: 64 hex is 100 dez -> Battery Level is at 100%
[15] Read the Serial Number String
char-read-hnd 26 Characteristic value/descriptor: 42 54 4c 33 30 30
Convert Hex to ASCII: 42 54 4c 33 30 30 -> BTL300
[16] Read the Hardware Revision String
char-read-hnd 28 Characteristic value/descriptor: 43 53 52 31 30 31 78 20 41 30 35
Convert Hex to ASCII: 43 53 52 31 30 31 78 20 41 30 35 -> CSR101x A05
[17] Read the Firmware Revision String
char-read-hnd 2a Characteristic value/descriptor: 42 54 4c 33 30 30 5f 76 36
Convert Hex to ASCII: 42 54 4c 33 30 30 5f 76 36 -> BTL300_v6
[18] Read the Software Revision String
char-read-hnd 2c Characteristic value/descriptor: 41 70 70 6c 69 63 61 74 69 6f 6e 20 76 65 72 73 69 6f 6e 20 32 2e 34 2e 33 2e 32 36
Convert Hex to ASCII: 41 70 70 6c 69 63 61 74 69 6f 6e 20 76 65 72 73 69 6f 6e 20 32 2e 34 2e 33 2e 32 36 -> Application version 2.4.3.26
[19] Read the Manufacturer Name String
char-read-hnd 2e Characteristic value/descriptor: 4d 69 70 6f 77 20 4c 69 6d 69 74 65 64
Convert Hex to ASCII: 4d 69 70 6f 77 20 4c 69 6d 69 74 65 64 -> Mipow Limited
[20] Read the PnP ID
char-read-hnd 30 Characteristic value/descriptor: 01 0a 00 4c 01 00 01
Used Hardware
raspberry pi 3 b+