The Practical Guide to Hacking Bluetooth Low Energy

I recently had to debug some BLE hardware that I didn&#x27;t design, and didn&#x27;t have much&#x2F;any documentation for. The command line utilities that are included with bluez on Linux (bluetoothctl, gatttool, etc.) make for a surprisingly decent reverse engineering platform, once you figure out how to use them.<p>Tab completion in bluetoothctl is a little wonky, but it lets you very quickly scan, connect, list services and characteristics, select the one(s) you&#x27;re interested in, request descriptions (if available), directly send&#x2F;receive bytes, and enable&#x2F;disable notifications.<p>Once you figure out what data you want or which characteristics you need to poke to get your gadget to do its thing, you can use something like pygatt to build a more purpose-built client application for whatever it is you&#x27;re trying to interface with.

Anyone interested in BLE might also enjoy this blog post about the Fuze Multi-Card[0]. It mentions the tools btlejuice[1], gattacker[2] and crackle[3].<p>[0] <a href="https:&#x2F;&#x2F;www.elttam.com.au&#x2F;blog&#x2F;fuzereview&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.elttam.com.au&#x2F;blog&#x2F;fuzereview&#x2F;</a><p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;DigitalSecurity&#x2F;btlejuice" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;DigitalSecurity&#x2F;btlejuice</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;securing&#x2F;gattacker" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;securing&#x2F;gattacker</a><p>[3] <a href="https:&#x2F;&#x2F;github.com&#x2F;mikeryan&#x2F;crackle" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mikeryan&#x2F;crackle</a>

BLE has many interesting uses!<p>If you want to start playing with it, get a BLE keychain, and see what you can do with it - like unlocking your desktop when you come home, tracking who is around your computer at given times, etc.<p>hcitool can do the basics. If you want some extra (like accelerometer data to figure if the keytag is not just here, but &quot;resting&quot; or &quot;moving&quot;) you need a better keytag and some time for debugging

This is a good description of how to use command line tools to connect to BLE devices.<p>This is not hacking or reverse engineering, but it can be used for it. Also don&#x27;t forget the Ubertooth, or multiple of them. Useful if you need to listen over multiple advertisement channels and need to know which channel receives what. Have fun!

I have been exploring similar BLE &quot;hacking&quot; tools and hardware lately. While this is a pretty good description around how to preform basic recon and basic attacks against poorly protected BLE devices, I haven&#x27;t been able to find a good tutorial around attacking BLE devices with Out-of-band pairing enabled.<p>To elaborate further, I have attempted using HackRF to sniff the OOB channels (e.g. NFC) with limited success. So, I&#x27;m wondering if anyone has had any experience with it.

This is perfect timing for me. I recently bought this BT controlled white noise generator and the app is horrendous. I&#x27;ve been debating to reverse engineer the BT packets so that I can use a Raspi to schedule an on&#x2F;off time.