Reverse engineering a BLE clock

Perfect Time

© Photo by ANIRUDH on Unsplash

© Photo by ANIRUDH on Unsplash

Article from Issue 272/2023

What do you do when all your Bluetooth clocks show slightly different times? With some reverse engineering, you can write a Python program to synchronize your clocks.

A while ago, I bought a ThermoPro TP358, a Bluetooth Low Energy (BLE) digital thermometer with a display. The ThermoPro shows the temperature, humidity, and air comfort indicator, as well as the time and day of the week. Its big display is nice for immediate feedback, but the device also lets you read its values and view graphs in the ThermoPro Sensor app, available on Android and iOS (Figure 1). Moreover, every time you connect to the device with the app, it synchronizes the time.

Figure 1: The ThermoPro Sensor app synchronizes the time of the digital thermometer upon connection.

While that is a nice feature, I have a couple of other types of Bluetooth sensors with a clock, and I didn't want to use multiple apps to view the sensor measurements and synchronize the clocks. For the sensor measurements, a solution already exists: Software such as Home Assistant [1] supported my devices out-of-the-box, letting me view their measurements in Home Assistant's dashboard. However, I couldn't find any solution that let me synchronize the time across all of my Bluetooth clocks without using the individual apps.

From past experience reverse engineering other Bluetooth devices, I knew that it should be possible to intercept the synchronization commands between my Android phone and the clock. My plan was to figure out the meaning of the commands and then reimplement the same time synchronization command in a Python script that I could run once a day on a Raspberry Pi. This article describes how I did this for the ThermoPro TP358, but you can use the same procedure with any other BLE device.

Investigating BLE Traffic Logs

There are various ways to intercept BLE traffic. If you're investigating BLE packets sent and received by an Android app, an easy way is to let your phone log its Bluetooth packets while using the app, then transfer the logs to your computer, and open the logs with Wireshark [2] to go through the recorded Bluetooth traffic.

Wireshark is a powerful open source network protocol analyzer. Network administrators use it to analyze network problems, and it also comes in handy to troubleshoot a WiFi or Ethernet network at home. Wireshark can also capture other protocols, including Bluetooth, live or from logs.

To transfer the Bluetooth logs from your phone to your computer, you need the Android Debug Bridge (adb). Most distributions have both Wireshark and adb in their official repositories, so you can install them with your distribution's package manager. If not, you can find Wireshark on its website and adb as part of the Android SDK Platform Tools [3] package.

Preparing Your Phone

First you need to enable USB debugging on your Android phone. This can differ on some models, but generally you need to go to Settings, tap About phone, then Software information, and finally tap Build number seven times. Then enter your PIN to unlock the Developer options menu, which will appear in your Settings menu.

Now, reopen the Settings menu, go to the new Developer options menu, and switch on USB debugging (Figure 2). Then tap on Enable Bluetooth HCI snoop log. After this, disable and re-enable Bluetooth to start logging Bluetooth traffic.

Figure 2: Enable USB debugging and the Bluetooth HCI snoop log in your phone's developer options.

Synchronizing Time

Now open the app and let it connect to your BLE device. After clicking on Add Device, the app finds all ThermoPro clocks in the vicinity. Tap the plus sign next to one of the clocks. The app then connects to the device, downloads sensor measurements, and synchronizes the time. Then close the app, and write down the current date and time. In my case, this was Sunday, March 5, 2023 at 11:01.

Because the app has communicated with the device, there should be some Bluetooth packets logged. Connect your phone to your computer via USB. Your phone will ask to allow the computer access. Confirm this, and then run the following command on your computer:

adb devices

This should show your phone as an attached device. If you haven't confirmed access yet on your phone, the device will be listed as "unauthorized."

Thanks to adb, you can generate a bug report file, which is a ZIP file including the btsnoop_hci.log file you need in FS/data/log/bt. Generate this bug report file and transfer it to your computer with:

adb bugreport

This can take a while, but the resulting file will have a name like, from which you will extract FS/data/log/bt/btsnoop_hci.log.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Bluetooth Wireless Network

    You can even use Bluetooth as an alternative form of wireless networking. We’ll show you how.

  • Bluetooth Security

    Is your address book open to the world? Is your mobile phone calling Russia? Many users don’t know how easy it is for an attacker to target Bluetooth.

  • Bluetooth Mobile Phones

    It is becoming increasingly common for new generation mobile phones to have an integrated Bluetooth interface. This article explores how to access your Bluetooth phone using Linux.

  • GPRS in Linux

    Permanent mobile Internet access might sound like a nightmare for some, but for others it is a dream come true. All you need is Linux and a fairly recent mobile phone.

  • Bluetooth with GPRS

    If your mobile phone contract includes GPRS mobile Internet service,
    you can use a Bluetooth phone as a wireless modem for your Linux
    portable computer.

comments powered by Disqus