
Thursday, June 5, 2014

Bluetooth LE Captures from an item tracker

Item Tracker Bluetooth Device Captures

Below shows another advertising strategy. This shows an advertising sequence between an item tracker from Phone Halo and the Bluescan app running on an Android device with BD_ADDR of AC:22:0B:45:87:55. The second capture is between another tracking device (I got a second one of their devices via their Indiegogo campaign) and their proprietary app.

Device 1

This is the advertisement and scan request from the BlueScan app:

 systime=1402000803 freq=2402 addr=8e89bed6 delta_t=1287.768 ms  
 40 23 ac 91 89 1c f3 c7 04 09 74 6b 72 03 19 40 02 02 01 06 02 0a 04 03 03 3e 0f 09 ff 00 00 ac 91 89 1c f3 c7 40 22 c7   
 Advertising / AA 8e89bed6 / 35 bytes  
   Channel Index: 37  
   Type: ADV_IND  
   AdvA: c7:f3:1c:89:91:ac (random)  
   AdvData: 04 09 74 6b 72 03 19 40 02 02 01 06 02 0a 04 03 03 3e 0f 09 ff 00 00 ac 91 89 1c f3 c7  
     Type 09 (Complete Local Name)  
     Type 19  
       40 02  
     Type 01 (Flags)  
     Type 0a (Tx Power Level)  
       4 dBm  
     Type 03  
       3e 0f  
     Type ff  
       00 00 ac 91 89 1c f3 c7  
   Data: ac 91 89 1c f3 c7 04 09 74 6b 72 03 19 40 02 02 01 06 02 0a 04 03 03 3e 0f 09 ff 00 00 ac 91 89 1c f3 c7  
   CRC:  40 22 c7  

Scan Request

 systime=1402000803 freq=2402 addr=8e89bed6 delta_t=0.352 ms  
 83 0c 55 87 45 0b 22 ac ac 91 89 1c f3 c7 a7 21 48   
 Advertising / AA 8e89bed6 / 12 bytes  
   Channel Index: 37  
   Type: SCAN_REQ  
   ScanA: ac:22:0b:45:87:55 (public)  
   AdvA: c7:f3:1c:89:91:ac (random)  
   Data: 55 87 45 0b 22 ac ac 91 89 1c f3 c7  
   CRC:  a7 21 48  

Scan Response

 systime=1402000803 freq=2402 addr=8e89bed6 delta_t=0.263 ms  
 44 06 ac 91 89 1c f3 c7 1a 59 6e   
 Advertising / AA 8e89bed6 / 6 bytes  
   Channel Index: 37  
   Type: SCAN_RSP  
   AdvA: c7:f3:1c:89:91:ac (random)  
   Data: ac 91 89 1c f3 c7  
   CRC:  1a 59 6e  

Device 2:

This is another one of their devices in which the capture was between their device and their proprietary Android app. In this case, there is an advertisement and a connection request.


 systime=1402002717 freq=2402 addr=8e89bed6 delta_t=27.500 ms  
 40 15 ca b3 9b 87 c2 c7 02 01 05 07 09 69 6e 53 69 74 65 03 19 ff ff d8 85 00   
 Advertising / AA 8e89bed6 / 21 bytes  
   Channel Index: 37  
   Type: ADV_IND  
   AdvA: c7:c2:87:9b:b3:ca (random)  
   AdvData: 02 01 05 07 09 69 6e 53 69 74 65 03 19 ff ff  
     Type 01 (Flags)  
     Type 09 (Complete Local Name)  
     Type 19  
       ff ff  
   Data: ca b3 9b 87 c2 c7 02 01 05 07 09 69 6e 53 69 74 65 03 19 ff ff  
   CRC:  d8 85 00  

Connect Request

 systime=1402002717 freq=2402 addr=8e89bed6 delta_t=0.495 ms  
 85 22 55 87 45 0b 22 ac ca b3 9b 87 c2 c7 76 f6 7c c7 a4 66 90 02 12 00 27 00 00 00 d0 07 ff ff 7f 00 1c a5 23 dd c1   
 Advertising / AA 8e89bed6 / 34 bytes  
   Channel Index: 37  
   Type: CONNECT_REQ  
   InitA: ac:22:0b:45:87:55 (public)  
   AdvA: c7:c2:87:9b:b3:ca (random)  
   AA:  c77cf676  
   CRCInit: 0066a4  
   WinSize: 02 (2)  
   WinOffset: 0012 (18)  
   Interval: 0027 (39)  
   Latency: 0000 (0)  
   Timeout: 07d0 (2000)  
   ChM: ff ff 7f 00 1c  
   Hop: 5  
   SCA: 5, 31 ppm to 50 ppm  
   Data: 55 87 45 0b 22 ac ca b3 9b 87 c2 c7 76 f6 7c c7 a4 66 90 02 12 00 27 00 00 00 d0 07 ff ff 7f 00 1c a5  
   CRC:  23 dd c1  

No comments:

Post a Comment