How to sniff a BLE communication and decode it: Reverse Engineering

(Last Updated On: January 24, 2019)

Intercept Bluetooth communication of smart gadgets (for example fitness devices) is a nice idea to have cheap BT sensor nodes. I will explain how to sniff and decode your Bluetooth Low Energy Data from your sensors.

Bluetooth System

In this example, I am going to show how I intercept the communication between Athos T-shirt and the smartphone to get the data in a computer, process and plot them in real time.

Athos is a fitness T-shirt and shorts which track the muscle effort, send them to the Iphone and upload them to the cloud (www.liveathos.com).

Why do I want to intercept my data?

Because of that. They are my data, and I should be able to do whatever I want. In this case, we want to process the data (maybe in real time, maybe not) and eventually plot them in real time. These applications only allow you limited access to your data, you have to upload them to the cloud, and the more important, you don’t have access to the raw data.

The Athos suit have a core, which is put inside the T-shirt and the iPhone, which work as a receptor.

How to connect the Athos suit:

  • To start sniffing the BT data, first the cores have to be disconnected with the device (Iphone). Because if they are disconnected they are sending the advertising message all the time, and you can recognize and start tracking them.
  • Run the Nordic semiconductor Sniffer program“ble-sniffer_win_1.0.1_1111_Sniffer.exe” as administrator. The BT sniffer board should be plugged. The next picture should be the screen to see.

This screen shows the available Low Energy Bluetooth devices and their irradiated received power. Remember that the lower the dBm nearer the device is. When the device is just near the USB, it will be around -44dBm.

We have purchased two cores (or gears) with the following physical addresses:

  • D5:48:d0:91:27:40
  • E9:90:00:93:C2:A1

Press the letter “l” to refresh the list. Sometimes is annoying to read the screen, because it refresh itself very quickly. Press ‘c’ to filter only the devices in your proximity. In this example, we are going to connect to the E9-device. Therefore, the number 3 is pressed and then the “w” to start WireShark. WireShark is a program to manage live the received packages.

Important to have the 1.12 version of Wireshark and not the last 2.XX because they are not compatibles (still).

  • Now from the App from Athos you can connect to the selected core and then start a new workout. Wireshark will capture the data in the background. Ensure that Wireshark is recording the connecting. Sometimes it does not save the data due a connection failure.
  • You start tracking your data

We start to receive the packets.

  • Once finalized your training session. You can stop recording data with Wireshark.
  • To store the data, you should export them to a csv file. “Export packet Dissections” >> as CSV File.
  • To filter out all the unnecessary data from wireshark-trafic record. Run the Python script to filter the BT data into a readable csv file. “Convert.py”
  • You can plot the data on this manner using kst.

  • Identifying the muscle.
    By reversing Engineering, each line was identified, the differential inputs grounded and each paar wired to signal generator, where later in the signals was identified.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top