Analyzing Bluetooth Smart Gadget Communications

Bluetooth Smart (Bluetooth Low Energy; BLE) is everywhere!

Ge0rG (@ge0rg@chaos.social)

GPN24 (6. Juni 2026, 22:30, ZKM Kubus)

Agenda

  1. Bluetooth Smart Background

  2. Arming the Androids

  3. Gadget Reconnaissance

  4. Snooping the Log

  5. Analyzing the App

Bluetooth Smart Background

Le Smart Classic Bluetooth? 🤔

🪦 “Bluetooth Smart” / “Smart Ready” (2009-2017)

  • Bluetooth Low Energy ⇒ Bluetooth LE ⇒ BLE

  • “Bluetooth 4.2” / “Bluetooh 5.0” sometimes

  • The “S” in Bluetooth LE stands for “Security”

  • Everything is just “Bluetooth” as of 5.0!

Bluetooth LE Profiles

Beacons / Advertising
Generic Access Profile GAP
Generic ATTribute Profile GATT

Bluetooth LE Service Structure

Every item has a UUID

  • “Short” UUID (0x1800) - approved by Bluetooth Special Interest Group (SIG)
    • Short-form based on Bluetooth SIG Base UUID:
      0x1800 = 00001800-0000-1000-8000-00805F9B34FB
  • “Long” (random!) UUID - vendor-specific, collision-resistant


Reading and Writing

  • “Service”: functionality discoverable by its respective UUID
  • “Characteristic”: individual data element (e.g. “Device name”)
    • WRITE ➤ send data
    • READ ➤ request data immediately
    • NOTIFY ➤ request data updates
  • “Handles” used on the wire for services and characteristics
    • data fragmentation based on MTU: 🎲 23 / 158 / 185 / 517
  • Common combo: 1x WRITE + 1x NOTIFY as “serial interface”

Challenge Levels

Gadget Name Properties Level
Fnirsi IR40 Laser Distance Meter React Native. Unauthenticated NOTIFY with distance in mm, WRITE to start continuous measurement (webtool) ★☆☆☆☆
Colmi P80 Obfuscated Java. Simple WRITE and NOTIFY, >60 commands, sub-, sub-sub-commands, opaque (Moyoung) ★★☆☆☆
SurpLife SMART LED Curtain Flutter binary app 🤐. Simple WRITE commands for single-color fill, complex image format for bitmaps (code) ★★★☆☆
Xiaomi S400 Body Scale Obfuscated Java. Encrypted, authenticated, requires online login and cloud token extraction ★★★★☆
SpportsTech ES600 Unobfuscated Java. Simple protocol, BUT: Requires pedaling the bike to connect 🥵🥵🥵🥵

Preparation

Arming the Androids

On the Phone

  1. Developer Mode: “Settings” ➤ “Software” ➤ “Build Number” ➤ 7x 🖕

  2. Bluetooth Logging: “Developer Settings” ➤ “Bluetooth HCI Snoop”

  3. nRF Connect for Mobile (Google Play)

  4. Install your gadget’s app

On the PC

  1. Install adb and Android USB drivers ➤ obtain HCI log files

  2. Install Wireshark ➤ read HCI log files

  3. Install jadx-gui ➤ decompile Android APKs

  4. Bonus level: install apk-mitm + Zed Attack Proxy ➤ 🐒 Monkey-in-the-Middle

Gadget Reconnaissance

Am I the first?

Use nRF Connect

  • Get “Device Name”
  • Get service and characteristic UUIDs
  • Device Name sometimes contains parts of MAC address

Use Google your favorite search engine!

  • Search for BLE name, UUIDs, brand name, model, …
  • Look up MAC address manufacturer…
  • Check GitHub, GitLab, Codeberg, …
  • Fitness: check Gadgetbridge issues, ask the devs

Xavax 7W E27 RGB Light

  • No clear model name, opaque PN (“001119730001”)
  • Googled “Xavax RGB LED Bluetooth”
  • Found User manual with hint:
    • App is called “XAVAX II” (~2018) - deleted from Play Store eons ago
    • APKPure has mirror of APK
    • Package name com.mobifyi.xavax_app

Downloading HCI Logs

At first ensure that you are recording logs, and can fetch them!

Real Rooted Android (LineageOS)

$ adb root
$ adb pull /data/misc/bluetooth/logs/btsnoop_hci.log

Original ROM + Root

$ adb shell su -c "tar c -C/data/log/bt/ btsnoop_hci.log" |tar xvv

Kinder-Android

$ adb bugreport bugreport-2026-03-15-mygadget.zip
... ⌛ ... 🥱 ... ☕ ... (2 minutes later)
$ unzip bugreport-2026-03-15-mygadget.zip FS/data/log/bt/btsnoop_hci.log
$ file FS/data/log/bt/btsnoop_hci.log
FS/data/log/bt/btsnoop_hci.log: BTSnoop version 1, HCI UART (H4)

Recording Useful HCI Logs

🤔 What exactly did I do, in which order? 🤔

  1. Take the time (Seconds precision! On your Android!)

  2. Start the “original” app

  3. Make notes or screenshots (or a screen recording)

    • Timestamp (“17:23:42” - it’s in the screenshot filename!)
    • Exact action (“set wakeup time”)
    • Exact parameters (“09:30 AM”)

  4. Remember if you screenshotted before or after the action

  5. Download HCI log and start digging

Wiresharking the log

Wireshark: Filters

  • bluetooth.addr==DE:AD:CA:FE:BA:BE (from/to gadget)
  • btatt (Bluetooth ATT payloads)
    • btatt.opcode values: 0x0b=READ ··· 0x1b=NOTIFY ··· 0x52=WRITE

Analyzing the App

Getting the APK

Obtaining the Package Name

  • “Share” from the Play Store listing ➤ URL query parameter
  • Needle in the haystack: adb shell cmd package list packages | grep title
  • From the APK: SDK/build-tools/36.1.0/aapt dump badging shitty.apk | head -1

Potential download sources

  1. Download from phone (adb)
$ adb shell pm path com.crrepa.band.colmi_fit
package:/data/app/~~9L5M7kslKekKaroB33ApYQ==/com.crrepa.band.colmi_fit-wx5dVrs6O5sbSG-SoFXlsA==/base.apk
package:/data/app/...../split_config.arm64_v8a.apk
package:/data/app/...../split_config.de.apk
package:/data/app/...../split_config.en.apk
package:/data/app/...../split_config.xxhdpi.apk
$ adb pull /data/app/~~9L5M7kslKekKaroB33ApYQ==/com.crrepa.band.colmi_fit-wx5dVrs6O5sbSG-SoFXlsA==/base.apk

  1. Download from phone (APK Extractor)

  2. Google them / Aurora Store / APKPure / QR code (Chinese apps)

Analyzing the App

Decompile with jadx

  • jadx-gui base.apk ➤ open in interactive viewer
  • jadx base.apk ➤ will extract into package_name/

Exploration and digging

  1. Find the UUIDs / names / other things
  • “Navigation” ➤ “Text Search” ➤ fff1 (UUID for SportsTech ES600)
    • BluetoothAdapter.LeScanCallback
    • BluetoothGattCallback
    • BluetoothGattCharacteristic

Example: SportsTech ES600

Device Under Test

“eHealth” app (2018)

Package name: com.yuedongsports.e_health - UUIDs fff1 and fff2

/* com.yuedongsports.e_health.service.UartService */
RX_CHAR_UUID = UUID.fromString("0000fff2-0000-1000-8000-00805f9b34fb");
TX_CHAR_UUID = UUID.fromString("0000fff1-0000-1000-8000-00805f9b34fb");

/* stripped irrelevant code, error handling, debug output */
public boolean writeRXCharacteristic(byte[] payload) {
    service = mBluetoothGatt.getService(RX_SERVICE_UUID);
    characteristic = service.getCharacteristic(RX_CHAR_UUID);
    characteristic.setValue(payload);
    mBluetoothGatt.writeCharacteristic(characteristic);
}

/* com.yuedongsports.e_health.util.BluetoothCommand */
public static boolean readUserInfo(UartService uartService) {
    L.e("readUserInfo...");
    byte[] payload = { 242, 194, 1, 0, 0 };
    payload[4] = BluetoothCalculatorUtils.checkOutSum(payload);
    return uartService.writeRXCharacteristic(payload);
}

242 = header, 194 = cmd “read user info”, 1 = length, 0 = payload, checkOutSum() - all bytes’ sum

Python Reimplementation with Bleak

(venv) $ python3 cli.py 68:9E:19:xx:xx:xx
Connecting...
Connected!
>> f2c000b2
>> f2c1050100000000b9
<< R_LINK_COMMAND len: 0 b'\xc2' 194 b''
>> f2c20100b5
<< R_MEMORY_COMMAND len: 12 b'\t' 9 b'010118000020000000000000'
<< UNK_210 len: 14 b'\xbe' 190 b'00001901003200a0000000000000'
...
EOFError
  • I crashed it (the controller reboots)!

🎉 🤦

Further Examples

BLE Printers

Other gadgets

Bonus Level

Zed Attack Proxy

Perform a MitM attack on app’s cloud connection to get a full picture

  1. Install and launch ZAP on your PC, under Tools ➤ Options ➤
    • Local Servers/Proxies ➤ Main Proxy: check IP and port!
    • Server Certificates: Generate, Save zap_root_ca.cer
  2. Use apk-mitm on the target APK
  3. Fully uninstall the originally signed app, install the MitM-patched APK (if you get a certificate mismatch error, also uninstall from work profile 🤦)
  4. adb push zap_root_ca.cer /sdcard/
  5. Android Settings ➤
    • Connections ➤ WiFi ➤ “My Network” ➤ More ➤ Proxy ➤ Manual ➤ Your laptop IP
    • Security ➤ Encryption & Credentials ➤ Install a certificate ➤ CA certificate
  6. PROFIT!

Alternative: mitmproxy (web UI, wireguard “service”)

Wireshark Dissectors

Lua runtime that will process a packet, converting it into a protocol tree

  • Reference documentation: good
  • Beginner documentation: 🤐🥵

Example: MOYOUNG / COLMI (high-level description, Lua dissector)

moyoung = Proto("MOYOUNG",  "MOYOUNG BLE Protocol")
moyoung.fields.uuid = ProtoField.uint16("moyoung.uuid", "DaFit UUID", base.HEX)
moyoung.fields.size = ProtoField.uint16("moyoung.size", "Size", base.DEC, nil, 0x1fff)

function moyoung.dissector(buffer, pinfo, tree)
    if buffer:len() > 4 and buffer(0, 2):uint() == 0xfeea then
        pinfo.cols.protocol = moyoung.name
        local subtree = tree:add(moyoung, buffer(), "MOYOUNG protocol message")
        subtree:add(moyoung.fields.uuid, buffer(0, 2))
        subtree:add(moyoung.fields.size, buffer(2, 2))
        local cmd = buffer(4, 1):uint()
        subtree:add(moyoung.fields.cmd, buffer(4, 1))
    end
end