
The Practical Guide to Hacking Bluetooth Low Energy - pentestercrab
https://blog.attify.com/the-practical-guide-to-hacking-bluetooth-low-energy/
======
ohazi
I recently had to debug some BLE hardware that I didn't design, and didn't
have much/any documentation for. The command line utilities that are included
with bluez on Linux (bluetoothctl, gatttool, etc.) make for a surprisingly
decent reverse engineering platform, once you figure out how to use them.

Tab completion in bluetoothctl is a little wonky, but it lets you very quickly
scan, connect, list services and characteristics, select the one(s) you're
interested in, request descriptions (if available), directly send/receive
bytes, and enable/disable notifications.

Once you figure out what data you want or which characteristics you need to
poke to get your gadget to do its thing, you can use something like pygatt to
build a more purpose-built client application for whatever it is you're trying
to interface with.

------
pentestercrab
Anyone interested in BLE might also enjoy this blog post about the Fuze Multi-
Card[0]. It mentions the tools btlejuice[1], gattacker[2] and crackle[3].

[0]
[https://www.elttam.com.au/blog/fuzereview/](https://www.elttam.com.au/blog/fuzereview/)

[1]
[https://github.com/DigitalSecurity/btlejuice](https://github.com/DigitalSecurity/btlejuice)

[2]
[https://github.com/securing/gattacker](https://github.com/securing/gattacker)

[3] [https://github.com/mikeryan/crackle](https://github.com/mikeryan/crackle)

------
devereaux
BLE has many interesting uses!

If you want to start playing with it, get a BLE keychain, and see what you can
do with it - like unlocking your desktop when you come home, tracking who is
around your computer at given times, etc.

hcitool can do the basics. If you want some extra (like accelerometer data to
figure if the keytag is not just here, but "resting" or "moving") you need a
better keytag and some time for debugging

~~~
zimpenfish
> tracking who is around your computer at given times

I used to use Smokeping for that back in 2002-3. Had a Vaio running Linux that
did `hcitool ping [Sony Phone]` every 5 minutes. Was most amusing.

------
MrQuincle
This is a good description of how to use command line tools to connect to BLE
devices.

This is not hacking or reverse engineering, but it can be used for it. Also
don't forget the Ubertooth, or multiple of them. Useful if you need to listen
over multiple advertisement channels and need to know which channel receives
what. Have fun!

------
xoraes
I have been exploring similar BLE "hacking" tools and hardware lately. While
this is a pretty good description around how to preform basic recon and basic
attacks against poorly protected BLE devices, I haven't been able to find a
good tutorial around attacking BLE devices with Out-of-band pairing enabled.

To elaborate further, I have attempted using HackRF to sniff the OOB channels
(e.g. NFC) with limited success. So, I'm wondering if anyone has had any
experience with it.

------
syntaxing
This is perfect timing for me. I recently bought this BT controlled white
noise generator and the app is horrendous. I've been debating to reverse
engineer the BT packets so that I can use a Raspi to schedule an on/off time.

