Reverse engineering a BLE clock
Perfect Time
What do you do when all your Bluetooth clocks show slightly different times? With some reverse engineering, you can write a Python program to synchronize your clocks.
A while ago, I bought a ThermoPro TP358, a Bluetooth Low Energy (BLE) digital thermometer with a display. The ThermoPro shows the temperature, humidity, and air comfort indicator, as well as the time and day of the week. Its big display is nice for immediate feedback, but the device also lets you read its values and view graphs in the ThermoPro Sensor app, available on Android and iOS (Figure 1). Moreover, every time you connect to the device with the app, it synchronizes the time.
While that is a nice feature, I have a couple of other types of Bluetooth sensors with a clock, and I didn't want to use multiple apps to view the sensor measurements and synchronize the clocks. For the sensor measurements, a solution already exists: Software such as Home Assistant [1] supported my devices out-of-the-box, letting me view their measurements in Home Assistant's dashboard. However, I couldn't find any solution that let me synchronize the time across all of my Bluetooth clocks without using the individual apps.
From past experience reverse engineering other Bluetooth devices, I knew that it should be possible to intercept the synchronization commands between my Android phone and the clock. My plan was to figure out the meaning of the commands and then reimplement the same time synchronization command in a Python script that I could run once a day on a Raspberry Pi. This article describes how I did this for the ThermoPro TP358, but you can use the same procedure with any other BLE device.
Investigating BLE Traffic Logs
There are various ways to intercept BLE traffic. If you're investigating BLE packets sent and received by an Android app, an easy way is to let your phone log its Bluetooth packets while using the app, then transfer the logs to your computer, and open the logs with Wireshark [2] to go through the recorded Bluetooth traffic.
Wireshark is a powerful open source network protocol analyzer. Network administrators use it to analyze network problems, and it also comes in handy to troubleshoot a WiFi or Ethernet network at home. Wireshark can also capture other protocols, including Bluetooth, live or from logs.
To transfer the Bluetooth logs from your phone to your computer, you need the Android Debug Bridge (adb). Most distributions have both Wireshark and adb in their official repositories, so you can install them with your distribution's package manager. If not, you can find Wireshark on its website and adb as part of the Android SDK Platform Tools [3] package.
Preparing Your Phone
First you need to enable USB debugging on your Android phone. This can differ on some models, but generally you need to go to Settings, tap About phone, then Software information, and finally tap Build number seven times. Then enter your PIN to unlock the Developer options menu, which will appear in your Settings menu.
Now, reopen the Settings menu, go to the new Developer options menu, and switch on USB debugging (Figure 2). Then tap on Enable Bluetooth HCI snoop log. After this, disable and re-enable Bluetooth to start logging Bluetooth traffic.
Synchronizing Time
Now open the app and let it connect to your BLE device. After clicking on Add Device, the app finds all ThermoPro clocks in the vicinity. Tap the plus sign next to one of the clocks. The app then connects to the device, downloads sensor measurements, and synchronizes the time. Then close the app, and write down the current date and time. In my case, this was Sunday, March 5, 2023 at 11:01.
Because the app has communicated with the device, there should be some Bluetooth packets logged. Connect your phone to your computer via USB. Your phone will ask to allow the computer access. Confirm this, and then run the following command on your computer:
adb devices
This should show your phone as an attached device. If you haven't confirmed access yet on your phone, the device will be listed as "unauthorized."
Thanks to adb, you can generate a bug report file, which is a ZIP file including the btsnoop_hci.log
file you need in FS/data/log/bt
. Generate this bug report file and transfer it to your computer with:
adb bugreport
This can take a while, but the resulting file will have a name like dumpstate-2023-03-05-11-07-00.zip
, from which you will extract FS/data/log/bt/btsnoop_hci.log
.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.