I have a fitness tracker that uses Bluetooth LE, and my iPhone 6+. Unfortunately the app doesn't disclose the raw data coming out of the tracker and zero way to export it, while this data is very interesting to me. I purchased a Bluetooth LE sniffer from Adafruit and used Wireshark to capture packets. While I can open it and analyze the headers with no problem, actual data is somewhat beyond me.
I've looked at posts on the network looking at the packets/frames, but what's the best way to get started analyzing the data? Dumping it into a giant hex editor didn't help (obviously).
Googling the various Info terms was confusing and turned up zero results on the SE network.
Here's a sample of the Wireshark window of packets I assume are data being written while the fitness tracker is tracking movement:
And more from the packet, randomly chosen:
Your help in finding some better resources and where to get started on analyzing these packets and their data is appreciated!
Best How To :
The best way to get started analyzing the data is finding out where the actual data starts and where it ends.
Disclaimer: I have zero experience with Bluetooth but let's give it a try.
You have two type of captured packets:
Empty PDU (some form of signaling?) and
ATT. Searching for data in empty PDUs seems unproductive so let's look at
Low Energy Attribute Protocol (ATT)
It allows a client to read and/or write certain attributes exposed by the server in a non-complex, low-power friendly manner.
That sounds a lot like data.
Quick Google search for "L2CAP packet format" reveals multiple formats that start with a 4-byte header: 2 bytes message length + 2 bytes CID (little-endian).
the giant hex editor we find the respective 4-bytes immediately after the
06 1b data header. They are
17 00 04 00 which translates to length
Looking up CID
0x0004 reveals it's indeed the reserved value for ATT.
Time to search the ATT packet format: seems to start with a 1 byte command code. This is
1d which means HANDLE_VALUE_INDICATION. The handle is a short (2 bytes) equal to
0x001b just like in the first image.
So, the 20 bytes after the handle are the value. What it represents it's anyone's guess.
05 e5 00 83 ff 4a 00 77 77 77 fc 6d fc 37 fc 18 fe 1f 03 43
Digging up some more reveals that Wireshark should be able to analyze ATT directly (try Decode As?) and that there are tutorials on learn.adafruit.com for the BLE Sniffer and even an article by a guy who attempts to reverse-engineer a color changing bulb by analyzing ATT packets.