Tutorial: Hexiwear Bluetooth Low Energy Packet Sniffing with Wireshark


For a university reasearch project I try to pair the Raspberry Pi 3 with a Mikroelektronika Hexiwear using BLE (Bluetooth Low Energy). Most of things worked after a lot of trial and error, but at a certain point I was stuck trying to write to send data from the Raspy to the BLE device.The Hexiwear BLE protocol description is very thin, so I ended up using a BLE sniffer to reverse engineer the protocol with Wireshark.

Sniffing BLE Packets between Raspy and Hexiwear

Hardware setup between Raspy and Hexiwear

Outline

In this article I describe the needed steps to record and analyze BLE communication packets with the Adafruit Bluefruit LE Sniffer and Wireshark. While I’m using a Raspberry Pi and with the Hexiwear, the steps could be easily applied to any BLE communication. As a special point, I’m sniffing a connection with authentication between the Raspberry Pi and the Hexiwear.

Wireshark is an open source packet sniffing program, for all kind of protocols and packets. With Wireshark and can collect and analyze the BLE packets:

BLE Packet in Wireshark

BLE Packet in Wireshark

The Adafruit Bluefruit LE Sniffer is a small dongle with serial interface featuring a Nordic Semiconductor nRF51822 BLE module (MDBT40). Adafruit has a module available with a sniffer firmware preloaded (https://www.adafruit.com/product/2269).

Active Sniffing Connection

Active Sniffing Connection

Adafruit BLE Sniffing Hardware

Adafruit BLE Sniffing Hardware

Installation

Follow the steps described in https://learn.adafruit.com/introducing-the-adafruit-bluefruit-le-sniffer. I’m using the following:

  1. FTDI driver for the FT231X on the sniffer: FTDI Driver Download Page
  2. Nordic Sniffer application (sorry, Windows only): http://www.nordicsemi.com/eng/Products/Bluetooth-low-energy/nRF-Sniffer.
    For Mac OS X and Linux see the Adafruit page using the Python API.
  3. Wireshark Version 1.12.10. It is important to use exactly that version, as other versions might not work. The version 1.12.10 can be found here: https://www.wireshark.org/download/https://www.wireshark.org/download/win32/all-versions/ (32bit) and https://www.wireshark.org/download/win64/all-versions/ (64bit)

I’m using the following version of the Nordic Sniffer Software:

Nordic Semiconductor Sniffer Software Version

Nordic Semiconductor Sniffer Software Version

This is the version information of the Wireshark version I’m using:

Wireshark Version Used

Wireshark Version Used

Verify that the FTDI serial driver is installed and the sniffer board is recognized:

FTDI Serial Driver Installed in Windows

FTDI Serial Driver Installed in Windows

Sniffing Encrypted BLE Packets

In order to be able to sniff an encrypted/authenticated connection, it is important to keep the following steps in exact the order presented!

Run the Nordic sniffer application (in my case: ble-sniffer_win_1.0.1_1111_Sniffer.exe):

Nordic BLE Sniffer Application

Nordic BLE Sniffer Application

💡 IMPORTANT: the sniffer will report “!!Your firmware is outdated!!”. Do NOT upgrade the firmware!

After a while, the Hexiwear should show up. At that point, start Wireshark with pressing the ‘w’ key in the sniffer:

Whireshark started from the BLE Sniffer

Whireshark started from the BLE Sniffer

In the sniffer program, select the Hexiwear device from the list (‘0’ in my case):

Hexiwear selected from the device list

Hexiwear selected from the device list

Next, start the pairing to the device (see “Tutorial: BLE Pairing the Raspberry Pi 3 Model B with Hexiwear” how to do this from a Raspberry Pi/Linux with Bluez): a pairing code will show up on the device:

Pairing Code on BLE Device

Pairing Code on BLE Device

Enter that code first in the sniffer program. For this, enter ‘p’ followed by the passkey.

Entering Passkey in Sniffer

Entering Passkey in Sniffer

Then enter that code on the device which initiated the paring (e.g. the Raspberry Pi):

entering pairing key on the master

entering pairing key on the master

💡 Note that this needs to happen rather fast, as otherwise the pairing will run into a timeout. You might need to try this several times until the sequence works.

With this, the sniffer program and Wireshark can listed to the encrypted data packets.

Filtering Packets

In Wireshark, there are many ’empty PDU’ packets sniffed. The Master (Raspberry Pi in my case) needs to poll the slave, and this results in many empty packets. As I’m not interested in these empty packets, and can filter them out:

Unfold a data header, drill down to the data header length and apply a filter as ‘not selected’:

Filtering out empty packets

Filtering out empty packets

This removes all the empty PDU packets with a filter:

Empty PDU filtered out

Empty PDU filtered out

Inspecting Packets

Now I can see in Wireshark the packets. This is very useful for reverse engineering the protocol, or as in the case of the Hexiwear the protocol is not very well documented. For example in “Tutorial: BLE Pairing the Raspberry Pi 3 Model B with Hexiwear” I wanted to write the date/time to the Hexiwear device, but always failed. With Wireshark and the BLE sniffer I was able to record the data packets sent between the mobile phone application and the Hexiwear to set the date/time:

Writing Date/Time

Writing Date/Time

The sniffer shows that the following data is written with a write-request on handle 0x61:

03 04 22e65a58 0000000000000000000000000000

The 0x03 is the command for writing date/time, followed by 0x04 with the length of the following time (seconds since 1970): 0x585ae622 (data is sent in little-endian).

0x585ae622 (or 1482352162) is 21-Dec-2016 20:29:00 (see http://www.epochconverter.com/) which indeed is what showed up on the Hexiwear :-).

With this knowledge, I was able to replicate this from the Raspberry Pi:

char-write-req 61 030422e65a580000000000000000000000000000
Writing Date and Time on Hexiwear

Writing Date and Time on Hexiwear

Summary

Sometimes it is all about the right tools: like having a logic analyzer to see what is going on with a wired bus like SPI or I²C, a packet sniffer is incredible valuable to understand a wireless protocol. With the help of the Adafruit Bluefuit LE Sniffer and Wireshark I’m now able to inspect and see the encrypted packets exchanged between a Hexiwear and a Raspberry Pi and reverse engineer the protocol used :-).

Happy Sniffing 🙂

Links

Advertisements

3 thoughts on “Tutorial: Hexiwear Bluetooth Low Energy Packet Sniffing with Wireshark

  1. Pingback: Tutorial: BLE Pairing the Raspberry Pi 3 Model B with Hexiwear | MCU on Eclipse

  2. Pingback: Using Python, Gatttool and Bluetooth Low Energy with Hexiwear | MCU on Eclipse

  3. Pingback: Hexiwear | Hexiwear, BLE and sharks – tutorial on BLE communication packets - Hexiwear

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s