Thursday, June 5, 2014

Analyzing Bluetooth Advertising with Ubertooth

Bluetooth Active Scanning Example

in my last post, Understanding Bluetooth Advertising Packets, I reviewed and consolidated some key elements of advertising packet format and data structure from the Bluetooth Core 4.1 Specification. In this post, I'll review some packets, a relate the specific fields to the spec.

The following packet sequence is between a Fitbit Flex (advertiser) and Bluescan (scanner), on channel 37, using and Ubertooth Bluetooth packet sniffer per this command:


 ubertooth-btle -f  

The three packets below show a complete active scan cycle. The advertiser (Fitbit) send out a ADV_IND advertisement, and the BlueScan Android app responds with a SCAN_REQ packet requesting additional data and the Fitbit responds with a SCAN_RESP.

Fitbit advertisement (ADV_IND):

Below is the first packet captured with Ubertooth:


 systime=1401827476 freq=2402 addr=8e89bed6 delta_t=673.874 ms   
  40 21 eb 12 e6 2d bb f5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04 69 6e 34    
  Advertising / AA 8e89bed6 / 33 bytes   
   Channel Index: 37   
   Type: ADV_IND   
   AdvA: f5:bb:2d:e6:12:eb (random)   
   AdvData: 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04   
    Type 01 (Flags)   
     00000110   
    Type 06 (128-bit Service UUIDs, more available)   
     adab36ca-6e7d-4601-bda2-bffaa68956ba   
    Type 16 (Service Data)   
     UUID: 180a, Additional: 07 04   
   Data: eb 12 e6 2d bb f5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04   
   CRC: 69 6e 34   

Some items of note:

  1. The Access Address (AA) is 0x8e89bed6 (this number is used to manage Link Layer connections and is a random number, other this this, for non advertising packets).
  2. It's on channel 37, which is one of three dedicated advertising channels (37, 38 & 39) of the 40 channels in the Bluetooth spectrum.
  3. The packet's PDU type is ADV_IND, which indicates a connectable undirected advertising event with the following properties:
    • connectable: a scanner can initiate a connection upon seeing this event.
    • scannable: a scanner can issue a scan request up seeing one of these
    • undirected: this is broadcast, no Bluetooth address is specified
    • payload: can contain user data in payload, whereas a directed packet cannot.
  4. AdvA is f5:bb:2d:e6:12:eb, which is the device address of the advertiser. This is a random address, based on...
  5. The Type '01' is a flag in the TxAddr field indicating that the AdvA address is random.
  6. Type '06' is a GAP profile indicating 'Incomplete List of 128-bit Service Class UUID' defined here, with a UUID provided: adab36ca-6e7d-4601-bda2-bffaa68956ba.
  7. Type '16' is also a GAP service type (here) as 'Service Data'. Additional information on this type is defined in the Core Specification Supplement, Part A, section 1.11. For this packet the value is 0x180a which is the UUID for device information.

BlueScan response (SCAN_REQ):

In response the the previous packet, BlueScan responded with this message.

 systime=1401827476 freq=2402 addr=8e89bed6 delta_t=0.336 ms  
 83 0c 55 87 45 0b 22 ac eb 12 e6 2d bb f5 cc 1c fd   
 Advertising / AA 8e89bed6 / 12 bytes  
   Channel Index: 37  
   Type: SCAN_REQ  
   ScanA: ac:22:0b:45:87:55 (public)  
   AdvA: f5:bb:2d:e6:12:eb (random)  
   Data: 55 87 45 0b 22 ac eb 12 e6 2d bb f5  
   CRC:  cc 1c fd  

Some items to note:

  1. This packet again uses the advertising channel (37) and Access Address (0x8e89bed6).
  2. Scan type is SCAN_REQ.
  3. ScanA is the BT_ADDR (Bluetooth Address) of the scanner (BlueScan Android App) and AdvA is the same random IP of the advertiser.

Fitbit response (SCAN_RSP):

Finally, the Fitbit responds with this:

 systime=1401827476 freq=2402 addr=8e89bed6 delta_t=0.326 ms  
 44 0f eb 12 e6 2d bb f5 05 09 46 6c 65 78 02 0a fa b6 c4 52   
 Advertising / AA 8e89bed6 / 15 bytes  
   Channel Index: 37  
   Type: SCAN_RSP  
   AdvA: f5:bb:2d:e6:12:eb (random)  
   ScanRspData: 05 09 46 6c 65 78 02 0a fa  
     Type 09 (Complete Local Name)  
       Flex  
     Type 0a (Tx Power Level)  
       -6 dBm  
   Data: eb 12 e6 2d bb f5 05 09 46 6c 65 78 02 0a fa  
   CRC:  b6 c4 52  


Note:

  • Type '0a'  and '09' flags are assigned numbers designated by the Bluetooth SIG Generic Access Profile, indicating what the Ubertooth output shows: 'Complete Local Name' and 'Tx Power Level' respectively.

Analyzing Gimbal Advertisements

Next, I'll have a look at Gimbals iBeacon advertisements. These use random address as a privacy mechanism, so it's worth having a look at those.

3 comments:

  1. So AdvA: f5:bb:2d:e6:12:eb (random) is not the MAC address?

    If not, where is the MAC address?

    ReplyDelete
  2. So AdvA: f5:bb:2d:e6:12:eb (random) is not the MAC address?

    If not, where is the MAC address?

    ReplyDelete
  3. I'm new in android dev, In Fitbit advertisement : 40 21 would be header right?
    40 21 => 21 40 (everything seems to be backward) = 0010 0001 0100 0000

    and 0010 is ADV_NONCONN_IND ????
    am I missing anything ??? can you put some light on this please

    ReplyDelete