Reversing and Exploiting BLE 4.0 communication

I started to study and pen testing on BLE devices since 6 months, there are some blogs and articles about BLE reversing but it’s not well explained, Through this blog, you well get an idea about, how to conduct reverse engineering of BLE 4.0 communications and exploit it.

Before we start, we need to understand first Bluetooth communication, there are 2 types Bluetooth communications,

  • Classic Bluetooth i.e Bluetooth 2.0
  • Bluetooth Low energy i.e BLE 4.0

Actually, Classic Bluetooth specification started from Bluetooth 1.0 and 1.0B, these specifications are handled by SIG (Bluetooth Special Interest Group) and all Bluetooth manufacturers and service companies are a member of SIG.

Bluetooth Low  Energy is a wireless personal area network, originally created by Nokia under name of Wibree in 2006 and merged into Bluetooth standard in 2010. Nowadays most of the devices support BLE 4.0 and SIG announced BLE 5 specification on June 16, 2016. Bluetooth Smart technology operates in the same spectrum range (the 2.400–2.4835 GHz ISM band) as Classic Bluetooth technology but uses a different set of channel i.e 40 2-Mhz and out of it, 37 channels are used for data and remaining 3 channels are used for Advertising purpose.

BLE 4.0 devices come in 2 roles,

  • Peripheral: – Low power and constrained devices
  • Central: – Usually powerful devices such as Mobile, Laptop etc

Start network of Bluetooth network is called as Piconet in Bluetooth terminology. So central device connect up to 2 rest to 31 peripheral devices. It works on Advertising and Scanning mechanism in the context of GAP and GATT.

GAP stands for Generic Access Profile and it controls connections and advertising.  GAP make sure, your device visible to everyone. More information about GAP visit https://learn.adafruit.com/introduction-to-bluetooth-low-energy/gap

Once you establish a connection between your peripheral and a central device, the advertising process will generally stop and you will typically no longer be able to send advertising packets out anymore, and you will use GATT services and characteristics to communicate in both directions.

GATT stands for Generic Attribute Profile, it defines the communication semantics between the client and the server. It plays a role when the connection established, it uses a concept called Profile, Services and Characteristics. The profile is a predefined collection of services compiled with either Bluetooth SIG or Peripheral designer. Service may contain one or more characteristics, it used to break up data in different entities and identified in 16 bit or 128 bit UUID. Characteristics encapsulate single data point and identified in 16 bit or 128 bit UUID. More information about GATT visit https://learn.adafruit.com/introduction-to-bluetooth-low-energy/gatt

So we know about BLE 4.0, Here we have Mansaa Bluetooth LED bulb, which supports BLE 4.0 communication protocol.

let’s start with reconnaissance Phase,

Here I used Linux box i.e Kali 2.0 and it comes with default latest Bluez utility to interact with BLE devices. And I used CSR 4.0 BLE adapter to interact and exploit BLE devices. Once you plug in CSR adapter it will listen on hci1 if you are on the virtual machine, here I am on Kali virtual box. You can identify the interface by giving command “hciconfig”

In recon phase, I used hcitool to identify the Bluetooth address of available BLE devices in the air.

$ hcitool - I hci1 lescan 

lescan is used to scan BLE enabled devices.

To know more information about particular Bluetooth address, use the following command.

$ hcitool –I hci1 leinfo 8C:8B:83:52:FF:B8

leinfo is used to gather more information about BLE devices like manufacturers information, in this case, Texas Instrument is the manufacture of BLE chip which is used in Mansaa BLE led device.

Now it’s time to get the information about the services and characteristics being served by Mansaa device, to get the information of services and characteristics I used a gatttool utility from Bluez.

$ gatttool –I hci1 –b 8C:8B:83:52:FF:B8 - - primary

In above screenshot, 00001800-0000-1000-8000-00805f9b34fb is UUID of primary services. You can see 1800, 1801, 180a are the identification number for specific services which are specified by SIG.you can get more information about 1800 from the following link.

https://www.bluetooth.com/specifications/gatt/viewer?attributeXmlFile=org.bluetooth.service.generic_access.xml

and same for other as well, 1800 is used for generic information like device name, appearance etc.

To identify the characteristics of Mansaa device, I used again gatttool and command as follows,

$ gatttool –I hci1 –b 8C:8B:83:52:FF:B8 - - characteristics 

Above screenshot, you can see 2a00, 2a01,2a02 and 2a03 are the identification number of characteristics UUID  which is specified by SIG. You can get information about 2a00 from below link.

https://www.bluetooth.com/specifications/gatt/viewer?attributeXmlFile=org.bluetooth.characteristic.gap.device_name.xml

Now it’s time to do reverse engineering of BLE communication So enabled HCI snoop logging to record all interaction between central (Here our Android Mobile ) and peripheral device (Mansaa LED bulb). Here is the link to enable and retrieve log file from Android Mobile,

http://www.fte.com/WebHelp/BPA600/Content/Documentation/WhitePapers/BPA600/Encryption/GettingAndroidLinkKey/RetrievingHCIlog.htm

During the communication, I started Mansaa application on Android mobile and start ON and OFF Mansaa BLE led bulb and again try to change the colour of bulb, so all these interactions get recorded in the btsnoop log file.

Once you retrieve log file from the phone which named as btsnoop_hci.log and opens it with Wireshark and applies filter “btl2cap.cid==0x0004” and analyse write command with handle.

Above screenshot, in the write command, handle 0x002b is used for writing commands with value d0fffffff. That means Mansaa application is writing some values with handle 0x002b, so will take advantage of the value and handle.

So while analysing each every value, will come to know the use of each and every value. To send these value to Mansaa Bulb, once I used gatttool,

$ gatttool –I hci1 –b 8C:8B:83:52:FF:B8 - -char-write-req –a 0x002b –n d00000000

BOOM, Mansaa BLE bulb went OFF.

That means d00000000 is used for to OFF bulb. Let analyse the command,

–char-write-req is used for writing any request, -a used for to give handle along with value i.e d00000000 with –n switch.

After further reversing, I came to know the usage of the other values as follows

To bulb ON

For green colour

For Pink Colour

This is how I reversed the BLE communication of Mansaa Bulb.

 

 

 

 

 

 

 

Comment ( 1 )

  1. saurabh
    says:

    Good article. Thank you for sharing Arun & Payatu team

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + 7 =