Reverse engineering a BLE clock
Perfect Time
What do you do when all your Bluetooth clocks show slightly different times? With some reverse engineering, you can write a Python program to synchronize your clocks.
A while ago, I bought a ThermoPro TP358, a Bluetooth Low Energy (BLE) digital thermometer with a display. The ThermoPro shows the temperature, humidity, and air comfort indicator, as well as the time and day of the week. Its big display is nice for immediate feedback, but the device also lets you read its values and view graphs in the ThermoPro Sensor app, available on Android and iOS (Figure 1). Moreover, every time you connect to the device with the app, it synchronizes the time.
While that is a nice feature, I have a couple of other types of Bluetooth sensors with a clock, and I didn't want to use multiple apps to view the sensor measurements and synchronize the clocks. For the sensor measurements, a solution already exists: Software such as Home Assistant [1] supported my devices out-of-the-box, letting me view their measurements in Home Assistant's dashboard. However, I couldn't find any solution that let me synchronize the time across all of my Bluetooth clocks without using the individual apps.
From past experience reverse engineering other Bluetooth devices, I knew that it should be possible to intercept the synchronization commands between my Android phone and the clock. My plan was to figure out the meaning of the commands and then reimplement the same time synchronization command in a Python script that I could run once a day on a Raspberry Pi. This article describes how I did this for the ThermoPro TP358, but you can use the same procedure with any other BLE device.
Investigating BLE Traffic Logs
There are various ways to intercept BLE traffic. If you're investigating BLE packets sent and received by an Android app, an easy way is to let your phone log its Bluetooth packets while using the app, then transfer the logs to your computer, and open the logs with Wireshark [2] to go through the recorded Bluetooth traffic.
Wireshark is a powerful open source network protocol analyzer. Network administrators use it to analyze network problems, and it also comes in handy to troubleshoot a WiFi or Ethernet network at home. Wireshark can also capture other protocols, including Bluetooth, live or from logs.
To transfer the Bluetooth logs from your phone to your computer, you need the Android Debug Bridge (adb). Most distributions have both Wireshark and adb in their official repositories, so you can install them with your distribution's package manager. If not, you can find Wireshark on its website and adb as part of the Android SDK Platform Tools [3] package.
Preparing Your Phone
First you need to enable USB debugging on your Android phone. This can differ on some models, but generally you need to go to Settings, tap About phone, then Software information, and finally tap Build number seven times. Then enter your PIN to unlock the Developer options menu, which will appear in your Settings menu.
Now, reopen the Settings menu, go to the new Developer options menu, and switch on USB debugging (Figure 2). Then tap on Enable Bluetooth HCI snoop log. After this, disable and re-enable Bluetooth to start logging Bluetooth traffic.
Synchronizing Time
Now open the app and let it connect to your BLE device. After clicking on Add Device, the app finds all ThermoPro clocks in the vicinity. Tap the plus sign next to one of the clocks. The app then connects to the device, downloads sensor measurements, and synchronizes the time. Then close the app, and write down the current date and time. In my case, this was Sunday, March 5, 2023 at 11:01.
Because the app has communicated with the device, there should be some Bluetooth packets logged. Connect your phone to your computer via USB. Your phone will ask to allow the computer access. Confirm this, and then run the following command on your computer:
adb devices
This should show your phone as an attached device. If you haven't confirmed access yet on your phone, the device will be listed as "unauthorized."
Thanks to adb, you can generate a bug report file, which is a ZIP file including the btsnoop_hci.log
file you need in FS/data/log/bt
. Generate this bug report file and transfer it to your computer with:
adb bugreport
This can take a while, but the resulting file will have a name like dumpstate-2023-03-05-11-07-00.zip
, from which you will extract FS/data/log/bt/btsnoop_hci.log
.
Buy this article as PDF
(incl. VAT)