Low-level Bluetooth packet analysis
I have a fitness tracker that uses Bluetooth LE and my iPhone 6+. Unfortunately, the application does not expose the raw data coming out of the tracker and the zero way to export it, while this data is very interesting to me. I purchased a Bluetooth LE sniffer from Adafruit and used Wireshark to capture packets. While I can open it and parse the headers without issue, the actual data is somewhat superior to me.
I've looked at posts on the net looking at packets / frames, but what's the best way to start analyzing the data? Dumping it into a giant hex editor didn't help (obviously).
The inclusion of various Info terms was confusing and showed zero results on the SE network.
Here's an example of a Wireshark window of packets, which I assume is the data that is recorded while tracking the movement of the tracker:
And also from a randomly selected package:
Your help finding the best resources and where to start analyzing these packets and their data is appreciated!
source to share
The best way to start analyzing your data is to figure out where the actual data begins and where it ends.
Disclaimer: I have no experience with bluetooth, but give it a try.
You have two types of captured packets: Empty PDU
(some form of signaling?) And ATT
. Finding data in empty PDUs seems counterproductive, so take a look at ATT
.
Wikipedia says:
Low Energy Protocol (ATT)
It allows the client to read and / or write certain attributes to the server in a non-complex, low-powered friendly manner.
It looks a lot like data.
A quick Google search for "L2CAP packet format" reveals several formats starting with a 4 byte header: byte length 2 bytes + 2 bytes CID (unlikely).
Using the giant hex editor
, we find the corresponding 4 bytes immediately after the data header 06 1b
. They 17 00 04 00
match the length 23
and CID 0x0004
.
Looking up the CID 0x0004
reveals that this is indeed a reserved value for ATT.
ATT packet format lookup time: seems to start with a 1 byte command code. This 1d
is what HANDLE_VALUE_INDICATION stands for . The pen is short (2 bytes), equal 0x001b
as in the first image.
So 20 bytes after the descriptor is the value. What he represents is all guessing.
05 e5 00 83 ff 4a 00 77 77 77 fc 6d fc 37 fc 18 fe 1f 03 43
Digging up another shows that Wireshark should be able to parse ATT directly (try Decode As?) And that there are tutorials on learn.adafruit.com for BLE Sniffer and even an article by a guy trying to flip -engineer with a colored light bulb by parsing ATT packets.
source to share