Reversing your Bluetooth device's protocol
Reversing your device’s protocol might seem like a daunting task. However, it may not be so difficult after all.
Recently, I’ve done just that for the Earfun Uboom X.
Prerequisites:
- An app-controlled Bluetooth device
- Android device for capturing the packets
- Desktop with Wireshark and ADB
- A lot of patience…
If you’re an Android user, fortunately for us, there’s a setting in the developer options for enabling the “Bluetooth HCI snoop log”. Set that to “Enabled”.
After enabling, turn the Bluetooth on and connect the device.
Enter the app that controls the device. Here’s the strategy:
- Find the option you want to reverse
- Enable that option
- Disable it
- Repeat a couple of times (The more, the better! As it will help you notice a pattern in the protocol)
We are done here. USB debugging should be enabled in the developer options.
Connect your device to your Desktop. And run adb bugreport in the command line. This should show a popup on the device for it to grant access. Confirm that. ADB should now generate the bug report on the device and copy it to our desktop.
Extract the bugreport zip.
Find the bluetooth snoop file: bugreport/FS/data/misc/bluetooth/logs/btsnoop_hci.log
Load it into wireshark for analysis. Now for the grueling part.
You will have to look through this file and look for the packets that enable/disable your desired option.
For me these were exclusively RFCOMM packets, as that’s what the speaker used. Maybe this gives a hint for you.
I’ve found a lot of RFCOMM packets, including some suspicious ones:
\ screenshot
Let’s write down the data values of them to compare them visually:
\ screenshot
Aha!
They only differ by a few bytes.
Now we know the protocol: RFCOMM, and wireshark is telling us it’s on channel 2.
Let’s write a quick python script for this to test:
\ script
Seems like it’s working. However, depending on the device, your experience might differ.
Here’s some things to keep in mind:
- Checksums