Reverse engineering a BLE clock
Perfect Time
![© Photo by ANIRUDH on Unsplash © Photo by ANIRUDH on Unsplash](/var/linux_magazin/storage/images/issues/2023/272/reverse-engineering-bluetooth/photobyanirudhonunsplash_nixie-tube-clock.png/823736-1-eng-US/PhotobyANIRUDHonUnsplash_Nixie-Tube-Clock.png_medium.png)
© Photo by ANIRUDH on Unsplash
What do you do when all your Bluetooth clocks show slightly different times? With some reverse engineering, you can write a Python program to synchronize your clocks.
A while ago, I bought a ThermoPro TP358, a Bluetooth Low Energy (BLE) digital thermometer with a display. The ThermoPro shows the temperature, humidity, and air comfort indicator, as well as the time and day of the week. Its big display is nice for immediate feedback, but the device also lets you read its values and view graphs in the ThermoPro Sensor app, available on Android and iOS (Figure 1). Moreover, every time you connect to the device with the app, it synchronizes the time.
![](/var/linux_magazin/storage/images/issues/2023/272/reverse-engineering-bluetooth/figure-1/823739-1-eng-US/Figure-1_large.png)
While that is a nice feature, I have a couple of other types of Bluetooth sensors with a clock, and I didn't want to use multiple apps to view the sensor measurements and synchronize the clocks. For the sensor measurements, a solution already exists: Software such as Home Assistant [1] supported my devices out-of-the-box, letting me view their measurements in Home Assistant's dashboard. However, I couldn't find any solution that let me synchronize the time across all of my Bluetooth clocks without using the individual apps.
From past experience reverse engineering other Bluetooth devices, I knew that it should be possible to intercept the synchronization commands between my Android phone and the clock. My plan was to figure out the meaning of the commands and then reimplement the same time synchronization command in a Python script that I could run once a day on a Raspberry Pi. This article describes how I did this for the ThermoPro TP358, but you can use the same procedure with any other BLE device.
Investigating BLE Traffic Logs
There are various ways to intercept BLE traffic. If you're investigating BLE packets sent and received by an Android app, an easy way is to let your phone log its Bluetooth packets while using the app, then transfer the logs to your computer, and open the logs with Wireshark [2] to go through the recorded Bluetooth traffic.
Wireshark is a powerful open source network protocol analyzer. Network administrators use it to analyze network problems, and it also comes in handy to troubleshoot a WiFi or Ethernet network at home. Wireshark can also capture other protocols, including Bluetooth, live or from logs.
To transfer the Bluetooth logs from your phone to your computer, you need the Android Debug Bridge (adb). Most distributions have both Wireshark and adb in their official repositories, so you can install them with your distribution's package manager. If not, you can find Wireshark on its website and adb as part of the Android SDK Platform Tools [3] package.
Preparing Your Phone
First you need to enable USB debugging on your Android phone. This can differ on some models, but generally you need to go to Settings, tap About phone, then Software information, and finally tap Build number seven times. Then enter your PIN to unlock the Developer options menu, which will appear in your Settings menu.
Now, reopen the Settings menu, go to the new Developer options menu, and switch on USB debugging (Figure 2). Then tap on Enable Bluetooth HCI snoop log. After this, disable and re-enable Bluetooth to start logging Bluetooth traffic.
![](/var/linux_magazin/storage/images/issues/2023/272/reverse-engineering-bluetooth/figure-2/823742-1-eng-US/Figure-2_large.png)
Synchronizing Time
Now open the app and let it connect to your BLE device. After clicking on Add Device, the app finds all ThermoPro clocks in the vicinity. Tap the plus sign next to one of the clocks. The app then connects to the device, downloads sensor measurements, and synchronizes the time. Then close the app, and write down the current date and time. In my case, this was Sunday, March 5, 2023 at 11:01.
Because the app has communicated with the device, there should be some Bluetooth packets logged. Connect your phone to your computer via USB. Your phone will ask to allow the computer access. Confirm this, and then run the following command on your computer:
adb devices
This should show your phone as an attached device. If you haven't confirmed access yet on your phone, the device will be listed as "unauthorized."
Thanks to adb, you can generate a bug report file, which is a ZIP file including the btsnoop_hci.log
file you need in FS/data/log/bt
. Generate this bug report file and transfer it to your computer with:
adb bugreport
This can take a while, but the resulting file will have a name like dumpstate-2023-03-05-11-07-00.zip
, from which you will extract FS/data/log/bt/btsnoop_hci.log
.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.