Sphero BB-8 Robot: Bluetooth Connection Sniffing

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This documentation is about the basics of Bluetooth hacking performed on the Sphero BB-8 Robot with GATT Tool and Bluetooth Connection Sniffing with the Ubertooth One. All results were obtained using GATT Tool or Bluetooth Connection Sniffing with Ubertooth and analyzed with Wireshark.

Requirements

  • Linux distribution (Ubuntu 20.04.1 desktop amd64 was used for this documentation)
  • Ubertooth One
  • Wireshark
  • hcitool
  • gatttool
  • bluetooth-btle
  • Sphero BB-8 App

Description

Prerequisites

Ensure that the Bluetooth service is running 

sudo service bluetooth status

Check if hcitool finds your Bluetooth sender 

hcitool dev

Note: On some bluetooth dongles you need to enable the LE mode if you encounter problems while scanning or connecting. 

btmgmt le on

Retrieve the Bluetooth Address of the victim device via hcitool

To retrieve the address of the targeted device you need to use hcitool to scan for bluetooth devices. 

hcitool lescan
LE Scan ...
C0:BF:30:97:52:B3 (unknown)
C0:BF:30:97:52:B3 BB-52B3

Connect to the target device and read its characteristics with GATT Tool

Characteristics can hint good starting points so we try to connect to the target device with GATT Tool and read its characteristics. 

sudo gatttool -t random -I <Bluetooth interface> -b <BD_ADDR>
connect

Depending on which bluetooth device you want to use you need to enter the name of the interface, you can get the name of your Bluetooth interfaces using hcitool.

Connecting to the Device in interactive mode 

sudo gatttool -t random -I hci0 -b C0:BF:30:97:52:B3
connect

"hci0" is the Bluetooth dongle name and can differ on your device. When connected we can interact with the device. Now read the Characteristics of the target. 

characteristics
handle: 0x0002, char properties: 0x02, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb
handle: 0x0006, char properties: 0x02, char value handle: 0x0007, uuid: 00002a04-0000-1000-8000-00805f9b34fb
handle: 0x0009, char properties: 0x22, char value handle: 0x000a, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x000d, char properties: 0x0c, char value handle: 0x000e, uuid: 22bb746f-2ba1-7554-2d6f-726568705327
handle: 0x000f, char properties: 0x10, char value handle: 0x0010, uuid: 22bb746f-2ba6-7554-2d6f-726568705327
handle: 0x0013, char properties: 0x0a, char value handle: 0x0014, uuid: 22bb746f-2bb1-7554-2d6f-726568705327
handle: 0x0016, char properties: 0x08, char value handle: 0x0017, uuid: 22bb746f-2bb2-7554-2d6f-726568705327
handle: 0x0019, char properties: 0x1e, char value handle: 0x001a, uuid: 22bb746f-2bb6-7554-2d6f-726568705327
handle: 0x001d, char properties: 0x0e, char value handle: 0x001e, uuid: 22bb746f-2bb7-7554-2d6f-726568705327
handle: 0x0020, char properties: 0x02, char value handle: 0x0021, uuid: 22bb746f-2bb8-7554-2d6f-726568705327
handle: 0x0023, char properties: 0x02, char value handle: 0x0024, uuid: 22bb746f-2bb9-7554-2d6f-726568705327
handle: 0x0026, char properties: 0x02, char value handle: 0x0027, uuid: 22bb746f-2bba-7554-2d6f-726568705327
handle: 0x0029, char properties: 0x0c, char value handle: 0x002a, uuid: 22bb746f-2bbd-7554-2d6f-726568705327
handle: 0x002b, char properties: 0x0a, char value handle: 0x002c, uuid: 22bb746f-2bbe-7554-2d6f-726568705327
handle: 0x002e, char properties: 0x0e, char value handle: 0x002f, uuid: 22bb746f-2bbf-7554-2d6f-726568705327
handle: 0x0031, char properties: 0x0e, char value handle: 0x0032, uuid: 22bb746f-3bba-7554-2d6f-726568705327
handle: 0x0035, char properties: 0x0a, char value handle: 0x0036, uuid: 00001013-d102-11e1-9b23-00025b00a5a5
handle: 0x0037, char properties: 0x08, char value handle: 0x0038, uuid: 00001017-d102-11e1-9b23-00025b00a5a5
handle: 0x0039, char properties: 0x12, char value handle: 0x003a, uuid: 00001014-d102-11e1-9b23-00025b00a5a5
handle: 0x003d, char properties: 0x02, char value handle: 0x003e, uuid: 00002a27-0000-1000-8000-00805f9b34fb
handle: 0x003f, char properties: 0x02, char value handle: 0x0040, uuid: 00002a25-0000-1000-8000-00805f9b34fb
handle: 0x0042, char properties: 0x02, char value handle: 0x0043, uuid: 00002a24-0000-1000-8000-00805f9b34fb
handle: 0x0044, char properties: 0x02, char value handle: 0x0045, uuid: 00002a29-0000-1000-8000-00805f9b34fb
handle: 0x0046, char properties: 0x02, char value handle: 0x0047, uuid: 00002a26-0000-1000-8000-00805f9b34fb

Analyzing the Characteristics with the GATT Tool

These are the Characteristics that could be analyzed.

BB8Characteristics.PNG

The Properties must be read as the following chart shows:

CharacterProperties.png

[1] Read the Device Name

Read the device name: 

char-read-hnd 3
Characteristic value/descriptor: 42 42 2d 35 32 42 33

Hex to ASCII: 

42 42 2d 35 32 42 33 --> BB-52B3

[2] presumably Writing the direction

When commanding the robot to move via the App, a write command gets send to the 0x000e handle. Under the circumstances I assume this is the direction to move. 

char-write-cmd 0e 820958580000009d5870010000d089051b000000
Error: Characteristic Write Request failed: Attribute requires authorization before read/write

Couldn't get it to work. Requires authorization but increasing the sec-level in GAT Tool resulted in another error.

[3] presumable Getting Notified about location

Everytime the robot moves, it sends a notfication to the master. Under the circumstances I assume this is the current location. 

Notification handle = 0x0010 value: ff fe 01 00 02 02 fa

[4] Read the Hardware Revision String

Read the Hardware Revision String: 

char-read-hnd 3e
Characteristic value/descriptor: 41 00 00 00 00 00

Hex to ASCII 

41 00 00 00 00 00 --> A

[5] Read the Bluetooth Address

Read the Bluetooth Address: 

char-read-hnd 40
Characteristic value/descriptor: 43 30 3a 42 46 3a 33 30 3a 39 37 3a 35 32 3a 42 33

Hex to ASCII 

43 30 3a 42 46 3a 33 30 3a 39 37 3a 35 32 3a 42 33 --> C0:BF:30:97:52:B3

[6] Read the Model Number

Read the Model Number: 

char-read-hnd 43
Characteristic value/descriptor: 33 30 00

Hex to ASCII 

33 30 00 --> 30

[7] Read the Manufactor Name String

Read the Manufactor Name String: 

char-read-hnd 45
Characteristic value/descriptor: 53 70 68 65 72 6f

Hex to ASCII 

53 70 68 65 72 6f  --> Sphero

[8] Read the Firmware Revision String

Read the Firmware Revision String: 

char-read-hnd 47
Characteristic value/descriptor: 31 2e 34 37

Hex to ASCII 

31 2e 34 37 --> 1.47

Sniffing with Wireshark

If you want to sniff BLE connection then please follow this guide: Bluetooth Sniffing with Ubertooth: A Step-by-step guide For this particullary device the ATT Protocol packets are interesting. You can filter them in Wireshark like shown in the picture below.

WireSharkBB8Capture.PNG

Used Hardware

References

Retrieved from "https://wiki.elvis.science/index.php?title=Sphero_BB-8_Robot:_Bluetooth_Connection_Sniffing&oldid=5745"