Reputation: 4776
Get Bluetooth ATT Characteristic UUID from Handle in Packet Capture
I'm reversing the protocol used by my treadmill to try and make a less terrible app.
I think I have the gist of the protocol worked out from some packet captures:
Sending Commands
UUID: 2AD9 (Fitness Machine Control Point)
ATT OPCODE: 0x012 (Write Request)
| Operation | Value |
|---|---|
| Start | 00 |
| Stop | 08 01 |
| Set Speed | 02 XX XX |
XX XX is Speed in 100 x kmh
Receiving Data
UUID: 2ACD (Treadmill Data)
ATT OPCODE: 0x1b (Received Handle Value Notification)
84 24 |
XX XX |
XX XX |
XX XX |
00 ff |
ff ff |
XX XX |
XX XX |
00 |
|---|---|---|---|---|---|---|---|---|
| Start | Speed | Metres | Calories | ? | ? | Seconds | Steps | END |
And this was working when I sent requests through nRF Connect to it the other night. This is actually how I got the UUIDs, I just spammed each endpoint with 0 bytes until the treadmill started. However, now it's not and I'm not entirely sure why.
So, taking a look back through the packet captures, I see this sequence of writes as soon as the app connects before it does anything:
So, I'm thinking this is some sort of setup/handshake that I'm missing and somehow must have still been present on the treadmill from an app run when I was messing with it the other night.
Now, I'm using this MAUI lib to connect to the treadmill and read its characteristics.
Unfortunately, it just gives me UUIDs for each of the characteristics, which I can't work out how to tie back to the handles in the packet capture so that I can try and replay the handshake and see if that is my problem.
Is there a way to do this or am I going to have to step through each characteristic, send a request, and then capture that and try and map the two together manually?
FWIW, these handles seem consistent between captures.
Upvotes: 0
Views: 199
Answers (1)
Reputation: 4776
My understanding is that this is simply not possible in userspace and would require interacting with the bluetooth controller at a much lower level.
To solve this I ended up doing the following on my laptop:
- Start capturing packets
- Using nRF connect, connect to the treadmill
- Find the characteristics I wanted in nRF connect listed by UUID
- Send a single packet to that UUID
- Observe the handle in the packet capture
- Repeat until I'd found all the ones I wanted
This was probably easier than my initial thought of programattically hitting them all and then trying to pair them up after from a complete log but it's still not ideal.
Upvotes: 0
Related Questions
- Bluetooth GATT service uuid overview
- Bluetooth LE - Multiple Characteristic Behavior
- Bluetooth Low Energy (BLE) - How to get UUIDs of Service, Characteristic and Descriptor separately
- Writing data to Bluetooth LE characteristic in Android
- Discovered UUIDs do not match the UUIDs inspected with nRFConnect
- How to get ATT HANDLE of UUID on BLE Advertiser
- Bluetooth LE: Send "Handle Value Notification" to device