Difference between revisions of "Mipow Playbulb: Bluetooth Connection Sniffing"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Line 47: Line 47:
Starting the GATT Tool in Interacive mode and connect to the retrieved Bluetooth Address
Starting the GATT Tool in Interacive mode and connect to the retrieved Bluetooth Address


  sudo gatttool -I hci1 -b DC:48:4B:0F:AC:E6
  sudo gatttool -I hci1 -b <BD_ADDR>
  connect
  connect


Line 183: Line 183:
=== Analyzing the Characteristics with the Ubertooth One ===
=== Analyzing the Characteristics with the Ubertooth One ===


Before you start make sure that your Ubertooth One has the newest firmware installed. To update your Ubertooth One read this Documentation (Link).


To Sniff the Victim device, we use the follow command:
  ubertooth-btle -f <BD_ADDR>
We put the Output of this command into a pipe to monitor the sniffed data in Wireshark
  mkfifo /tmp/pipe
  ubertooth-btle -f <BD_ADDR> -c /tmp/pipe
On a other terminal we start Wireshark
  sudo wireshark -I /tmp/pipe
If the protocol of the sniffed data says PPP follow dis documentation (link)
Now we connect the Victim device to a Smartphone. The Ubertooth may not be able to follow the jump pattern of the connection, so disconnect and reconnect your smartphone until the data stream doesn’t stop. It was possible to figure out what the handles 0x17 and 0x19 were used for: 
==== [10] Read and write the RGB Values ====
The light isn’t a usual RGB light with only 3 LEDs for each colour, it has an extra one for natural white light at about 3500k.
The RGB Code is encoded like:
  WWRRGGBB
The hex values reach from 0 to 255 (ff) which allows 16 Million colour combinations. The brightness is also adjusted by lowering the colour values.
It is also possible to write the colour with the GATT Tool by using this command:
  char-write-cmd 19 WWRRGGBB
==== [10] Read and write the Colour Effects ====





Revision as of 13:47, 24 February 2020

Summary

This documentation explains the basics of Bluetooth hacking perfomed on the MiPow Playbulb Candle with the GATT Tool and Bluetooth Sniffing with the Ubertooth One


Requirements

  • Bluetooth adapter which can use BLUETOOTH Low Energy (BTLE)
  • A computer running a Linux distribution e.g. raspberry pi 3
  • The Ubertooth One
  • Wire Shark
  • hcitool

Description

Prerequisites

Ensure that the Bluetooth sender is running.

sudo service bluetooth status

If the output shows (dead) use the following command.

sudo service bluetooth restart

Check if the hcitool finds your Bluetooth sender

hcitool dev
hciconfig -a


Retrieve the Bluetooth Address of the victim device via the hcitool

Depending on the Bluetooth Technology (BR/EDR or LE) the device use there are two commands to scan the Bluetooth addresses.

hcitool scan
hcitool lescan

The BLE Scan outputs the Address of the The MiPow Playbulb Candle as follows:

hcitool lescan

DC:48:4B:0F:AC:E6 (unknown)
DC:48:4B:0F:AC:E6 PLAYBULB

Connect to the victim device and reading its characteristics

Starting the GATT Tool in Interacive mode and connect to the retrieved Bluetooth Address

sudo gatttool -I hci1 -b <BD_ADDR>
connect

“hci1” is the Bluetooth sender name and can differ on your device

Reading the Characteristic which the victim devices have.

characteristics

[1]  handle: 0x0002, char properties: 0x0a, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[2]  handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb
[3]  handle: 0x0006, char properties: 0x02, char value handle: 0x0007, uuid: 00002a04-0000-1000-8000-00805f9b34fb
[4]  handle: 0x0009, char properties: 0x22, char value handle: 0x000a, uuid: 00002a05-0000-1000-8000-00805f9b34fb
[5]  handle: 0x000d, char properties: 0x10, char value handle: 0x000e, uuid: 00002a37-0000-1000-8000-00805f9b34fb
[6]  handle: 0x0010, char properties: 0x02, char value handle: 0x0011, uuid: 0000fff8-0000-1000-8000-00805f9b34fb
[7]  handle: 0x0012, char properties: 0x0a, char value handle: 0x0013, uuid: 0000fff9-0000-1000-8000-00805f9b34fb
[8]  handle: 0x0014, char properties: 0x06, char value handle: 0x0015, uuid: 0000fffa-0000-1000-8000-00805f9b34fb
[9]  handle: 0x0016, char properties: 0x06, char value handle: 0x0017, uuid: 0000fffb-0000-1000-8000-00805f9b34fb
[10] handle: 0x0018, char properties: 0x06, char value handle: 0x0019, uuid: 0000fffc-0000-1000-8000-00805f9b34fb
[11] handle: 0x001a, char properties: 0x0a, char value handle: 0x001b, uuid: 0000fffd-0000-1000-8000-00805f9b34fb
[12] handle: 0x001c, char properties: 0x0a, char value handle: 0x001d, uuid: 0000fffe-0000-1000-8000-00805f9b34fb
[13] handle: 0x001e, char properties: 0x0a, char value handle: 0x001f, uuid: 0000ffff-0000-1000-8000-00805f9b34fb
[14] handle: 0x0021, char properties: 0x12, char value handle: 0x0022, uuid: 00002a19-0000-1000-8000-00805f9b34fb
[15] handle: 0x0025, char properties: 0x02, char value handle: 0x0026, uuid: 00002a25-0000-1000-8000-00805f9b34fb
[16] handle: 0x0027, char properties: 0x02, char value handle: 0x0028, uuid: 00002a27-0000-1000-8000-00805f9b34fb
[17] handle: 0x0029, char properties: 0x02, char value handle: 0x002a, uuid: 00002a26-0000-1000-8000-00805f9b34fb
[18] handle: 0x002b, char properties: 0x02, char value handle: 0x002c, uuid: 00002a28-0000-1000-8000-00805f9b34fb
[19] handle: 0x002d, char properties: 0x02, char value handle: 0x002e, uuid: 00002a29-0000-1000-8000-00805f9b34fb
[20] handle: 0x002f, char properties: 0x02, char value handle: 0x0030, uuid: 00002a50-0000-1000-8000-00805f9b34fb
[21] handle: 0x0032, char properties: 0x0a, char value handle: 0x0033, uuid: 00001013-d102-11e1-9b23-00025b00a5a5
[22] handle: 0x0034, char properties: 0x08, char value handle: 0x0035, uuid: 00001018-d102-11e1-9b23-00025b00a5a5
[23] handle: 0x0036, char properties: 0x12, char value handle: 0x0037, uuid: 00001014-d102-11e1-9b23-00025b00a5a5
[24] handle: 0x0039, char properties: 0x02, char value handle: 0x003a, uuid: 00001011-d102-11e1-9b23-00025b00a5a5

Analyzing the Characteristics with the GATT Tool

The MiPow Playbulb Candle uses many Characteristics which are defined by the Bluetooth Standard:

StanrdizedCharacters.png

The Properties must be read as the following chart shows:

CharacterProperties.png

[1] Read and Write the Device Name

Read the device name:

char-read-hnd 3
Characteristic value/descriptor: 50 4c 41 59 42 55 4c 42


Convert Hex to ASCII:

50 4c 41 59 42 55 4c 42 -> PLAYBULB

Rename the Device:

char-write-req 3 4861636B65640A
Characteristic value was written successfully

char-read-hnd 3
Characteristic value/descriptor: 48 61 63 6b 65 64 0a

[2] Read the Device Appearance

char-read-hnd 5
Characteristic value/descriptor: 40 03

0x4003 is not in the standard appearances defined

[3] Read the Peripheral Preferred Connection Parameters

char-read-hnd 7
Characteristic value/descriptor: 10 00 20 00 00 00 58 02

[14] Read the Battery Level

char-read-hnd 22
Characteristic value/descriptor: 64

Convert Hex to Dez:

64 hex is 100 dez -> Battery Level is at 100%

[15] Read the Serial Number String

char-read-hnd 26
Characteristic value/descriptor: 42 54 4c 33 30 30

Convert Hex to ASCII:

42 54 4c 33 30 30 -> BTL300

[16] Read the Hardware Revision String

char-read-hnd 28
Characteristic value/descriptor: 43 53 52 31 30 31 78 20 41 30 35

Convert Hex to ASCII:

43 53 52 31 30 31 78 20 41 30 35 -> CSR101x A05

[17] Read the Firmware Revision String

char-read-hnd 2a
Characteristic value/descriptor: 42 54 4c 33 30 30 5f 76 36

Convert Hex to ASCII:

42 54 4c 33 30 30 5f 76 36 -> BTL300_v6

[18] Read the Software Revision String

char-read-hnd 2c
Characteristic value/descriptor: 41 70 70 6c 69 63 61 74 69 6f 6e 20 76 65 72 73 69 6f 6e 20 32 2e 34 2e 33 2e 32 36

Convert Hex to ASCII: 41 70 70 6c 69 63 61 74 69 6f 6e 20 76 65 72 73 69 6f 6e 20 32 2e 34 2e 33 2e 32 36 -> Application version 2.4.3.26

[19] Read the Manufacturer Name String

char-read-hnd 2e
Characteristic value/descriptor: 4d 69 70 6f 77 20 4c 69 6d 69 74 65 64

Convert Hex to ASCII:

4d 69 70 6f 77 20 4c 69 6d 69 74 65 64 -> Mipow Limited

[20] Read the PnP ID

char-read-hnd 30
Characteristic value/descriptor: 01 0a 00 4c 01 00 01

Analyzing the Characteristics with the Ubertooth One

Before you start make sure that your Ubertooth One has the newest firmware installed. To update your Ubertooth One read this Documentation (Link).

To Sniff the Victim device, we use the follow command:

 ubertooth-btle -f <BD_ADDR>

We put the Output of this command into a pipe to monitor the sniffed data in Wireshark

 mkfifo /tmp/pipe
 ubertooth-btle -f <BD_ADDR> -c /tmp/pipe

On a other terminal we start Wireshark

 sudo wireshark -I /tmp/pipe

If the protocol of the sniffed data says PPP follow dis documentation (link) Now we connect the Victim device to a Smartphone. The Ubertooth may not be able to follow the jump pattern of the connection, so disconnect and reconnect your smartphone until the data stream doesn’t stop. It was possible to figure out what the handles 0x17 and 0x19 were used for:

[10] Read and write the RGB Values

The light isn’t a usual RGB light with only 3 LEDs for each colour, it has an extra one for natural white light at about 3500k. The RGB Code is encoded like:

 WWRRGGBB

The hex values reach from 0 to 255 (ff) which allows 16 Million colour combinations. The brightness is also adjusted by lowering the colour values. It is also possible to write the colour with the GATT Tool by using this command:

 char-write-cmd 19 WWRRGGBB


[10] Read and write the Colour Effects

Used Hardware

raspberry pi 3 b+

References