[HN Gopher] Bit-Banging Bluetooth Low Energy
___________________________________________________________________
Bit-Banging Bluetooth Low Energy
Author : userbinator
Score : 114 points
Date : 2024-01-09 03:43 UTC (19 hours ago)
(HTM) web link (dmitry.gr)
(TXT) w3m dump (dmitry.gr)
| SV_BubbleTime wrote:
| (2013)
|
| And also, BLE is more than Bluetooth in name only.
|
| There is the L2CAP layer and radio specs taken directly from
| Bluetooth Classic. There is also the fact that good or bad (I'll
| let you guess) it is the same Special Interest Group that
| develops it.
| fellerts wrote:
| [2013] is key. The information in this article is severely
| outdated, but the hacking is still cool I guess.
| dmitrygr wrote:
| > and radio specs taken directly from Bluetooth Classic
|
| False - modulations are entirely different. Channel hopping is
| done differently too. L2CAP is also quite cut down in many
| ways, having only the same 4 byte header in common. When I
| wrote this article (11 years ago), this was even more true than
| it is today (BLE did not even have the 2mbps mode yet)
| SV_BubbleTime wrote:
| When I wrote the radio, I meant the radio. Not the bit timing
| and phase which is software. The PHY . It's the same 2.4Ghz
| radio and same balun.
| dmitrygr wrote:
| Well, fuck, so is WiFi and three dozen other things. Means
| nothing. That's what any 2.4GHz thing would have...
|
| Also bit timing and phase are NOT software. They are very
| much hardware state machines in all implementations.
| SV_BubbleTime wrote:
| There weren't hardware here were they?
|
| Yes, WiFi uses the same radio, although IDK about balun.
| dmitrygr wrote:
| Even here bit timing is done by a hardware state machine.
| As is modulation.
| nomel wrote:
| > balun
|
| Why does that coil of wire matter? It's dictated by drive
| and antenna characteristics. It's an RF coupling
| efficiency thing, not really a BT/WiFi thing.
| AshamedCaptain wrote:
| BLE literally started from a Bluetooth competitor technology
| that was later given to the Bluetooth SIG and renamed to BLE.
| It is _literally_ Bluetooth in name only.
|
| Anyone who has read anything about them can tell they are
| almost like day and night.
| SV_BubbleTime wrote:
| They aren't the same people since 2009? It's not the same
| L2CAP layer? TIL.
| AshamedCaptain wrote:
| Yes, it was given to the Bluetooth SIG in 2007ish, but it
| has not really evolved to be more classic/BR-like since
| then (or it would break compatibility). And no, it's not
| the same L2CAP layer -- it again shares the name and little
| else.
| skibz wrote:
| Am I understanding what is being demonstrated here, correctly? Is
| this a type of beacon?
|
| Pretty neat!
| pbmonster wrote:
| "Beacon", as in "attracts attention to a specific location"?
| No, not necessarily.
|
| You could use this to broadcast GPS coordinates (and you can
| always try to triangulate the location of a BTLE transmitter),
| but the author is showing what he believes to be the simplest
| way for an embedded project to transmit arbitrary digital data
| over the air - to, for example, an iPhone.
| spaceywilly wrote:
| Beacon has a pretty specific meaning in the BLE world. A BLE
| beacon sends a broadcast out every now and then* that says
| "hey I exist, here's my ID". Another device can scan for
| these "advertisement" and do something when a particular kind
| of device is detected.
|
| An example use case is a museum app displaying info to a user
| when they walk up to a particular exhibit.
|
| * the interval can be set from 10ms to ~10s. The radio can be
| turned off in between advertisements, which is where the "LE"
| part comes from.
| jsmith45 wrote:
| > Is this a type of beacon?
|
| Pretty much. A similar approach of only unsolicited
| advertisement packets is used by a number of beacons. But that
| is not the only use case. A decent number of BTLE sensors out
| there also work exclusively by periodically sending out
| unsolicited advertisement frames with their data.
|
| As long as you don't need to accept any incoming data, that is
| really easy to do, and allows completely shutting off the radio
| in between, so the radio may only be active for a few
| miliseconds once every few minutes. That helps keep power
| consumption very low, especially for battery powered devices.
|
| If the primary sensor functions are low power, and support an
| interrupt signal, and you have a microprocessor with a low
| power timer interrupt (to allow waking up occasionally even if
| the sensor state has not changed), and ability to stop the
| clock to the rest while waiting, you can pretty easily get
| multiple years on a single disposable AAA or coin cell battery.
| jlarocco wrote:
| Yeah, BLE is really neat.
|
| Over the summer I bought a RaceBox Mini, thinking it was a
| fancy GPS logger, but instead of logging it broadcasts the
| current location over BLE whenever there's a device connected.
| RaceBox makes an app, but since it's standard BLE I was able to
| write a systemd service that runs on a RPi and logs to a SQLite
| database. A lot of the standard BLE interfaces have built-in
| support in Bluez, so it was pretty easy to setup.
| whartung wrote:
| In the movie Blackhat, the Bad Guy communicated "anonymously"
| with his cronies by setting up (I think) a Bluetooth hot spot in
| an open mall.
|
| They all virtually crossed paths at some specific spot, where
| there was a radio and computer hidden in a bush.
|
| The premise is these folks have never met, and assuming that the
| cronies aren't familiar with the tech and told to "go to this
| bench, do this workflow, enter in these codes". Rather they were
| told to download an app to their phone, go to this area and
| "start chatting", or maybe they connected to the bush server, and
| exchanged messages without ever having to be in the same place at
| the same time.
|
| Can a modern phone contact a BT device without being manually
| paired (assuming it has cooperating software on the phone)? A
| non-hacked phone? Could they have been using just raw BLE for
| this?
|
| What kind of range does BT and BLE have?
| jareklupinski wrote:
| https://en.wikipedia.org/wiki/Dead_drop#Modern_techniques
|
| depending on how good of a line-of-sight you have to the
| transmitter, you can receive over 50+m using a well-tuned
| antenna
|
| if the transmitter is hidden, range largely depends on what
| it's hidden inside, but even a phone at the bottom of a
| backpack can receive from a similarly hidden flipper zero
| broadcasting from another backpack at about 5-10m
| zwirbl wrote:
| At least for BLE one could use advertising packets to transmit
| the data, sensor beacons tend to do this with e.g. a
| temperature. There is also the scan-response mode, initiated by
| the device scanning for others. And you can use plain GATT
| without any authentication, but that would be fully unencrypted
| iirc.
|
| Rangewise it might be possible to reach 100m in an open field
| under very good conditions, especially when utilizing coded
| PHY, but not with default power levels I think.
|
| There is a lot more to know, one place to start is 'Intro to
| Bluetooth low energy' by Mohammed Afaneh
| seanalltogether wrote:
| > Can a modern phone contact a BT device without being manually
| paired (assuming it has cooperating software on the phone)?
|
| Yes. I manage IOT apps for android and iOS that do exactly
| this. You can write/read data to any bluetooth device around
| you that is advertising as connectable and has a GATT
| characteristic that supports it.
| dragontamer wrote:
| > The premise is these folks have never met, and assuming that
| the cronies aren't familiar with the tech and told to "go to
| this bench, do this workflow, enter in these codes". Rather
| they were told to download an app to their phone, go to this
| area and "start chatting", or maybe they connected to the bush
| server, and exchanged messages without ever having to be in the
| same place at the same time.
|
| I'm pretty sure walkie-talkies can be purchased at any street-
| corner and replicate this.
|
| Even toy walkie-talkies in the USA follow the FRS standard and
| have roughly ~1 mile or so of range (3 to 5 miles for more
| expensive walkie-talkies). Meaning you can have an untrackable
| "virtual meetup" with strangers as long as you all coordinate a
| time, place, and channel to talk.
|
| ------------
|
| If you want more smarts, you'll want to:
|
| 1. Use LoRa -- 900MHz (800ish in Europe) is superior for range.
| Bluetooth is 2.4GHz and attenuates too quickly, and is
| therefore short-range only (a few hundred meters reliably).
|
| 2. LoRa modules are cheap. Arduinos, ESP32, Beaglebone
| ConnectPlay, etc. etc. A ton of different microcontrollers and
| microprocessors exist. Slap a solar panel + lead-acid battery
| on a BeagleBone Play or something and now you got 24-hour
| always on servers with 3 to 5 miles of communication range. Add
| on TLS1.3 and now its encrypted to the latest and greatest
| specifications of encryption available.
| fullspectrumdev wrote:
| LoRA is very neat, been playing with Meshtastic lately a bit
| - only downside is how fucking chatty it is, which makes it
| very easy to perform direction finding / trilateration using
| something like a KrakenSDR (or just a normal SDR and a
| directional antenna).
|
| At some point I'd like to mess with trying to do "burst"
| comms over LoRA, maybe meshtastic can be fiddled with to act
| in this manner - where it only actually sends RF traffic when
| it has something to say.
| dragontamer wrote:
| I just double-checked and I got my initial spelling (LoRA)
| wrong. Its actually spelled (LoRa) (lower-case a, not an
| upper-case). I've edited my earlier message to correct my
| mistake.
|
| LoRA is the LLM / deep learning stuff. LoRa is the radio.
| Hurrah, overloaded terms!
| the__alchemist wrote:
| You can configure the spreading factor and bandwidth to
| make the bursts very short, at the cost of robustness to
| interference etc. And transmit at sparse intervals if you
| want.
| XorNot wrote:
| Walkie-talkies are still unconventional technical items.
| _Everyone_ has a phone - homeless people have phones. Phones
| are ubiquitous, and someone having one is not unusual.
|
| They might be lower-tech, but it is _odd_ if someone has a
| walkie-talkie - also easy to monitor (range == eavesdroppers
| have range too) and it is in fact illegal to use encryption
| over the available frequencies or to send digital data (so
| all things you could do, but which would draw attention).
|
| The problem with committing crimes is that efforts to cover
| up the crime themselves are likely to create evidence of it.
| calamari4065 wrote:
| Yup, BLE can transmit data without pairing. That's how AirTags
| and the like work.
|
| Basically, BLE is designed for lightweight sensors that
| periodically wake up and blindly transmit their data. It
| doesn't know or care if anyone receives.
|
| The amount of data is small and necessarily unencrypted.
| Throughput is also very low.
|
| For bidirectional communication, you might be able to do the
| reverse: have your device transmit these blind BLE packets, but
| I don't know offhand if that's supported in Android. There may
| be other ways, like packing some data into an advertisement
| query or something.
|
| Again I'm not sure how well it's supported in Android, but
| under Windows you can silently establish a connection with an
| unsecured BLE device without user interaction. You don't
| actually _pair_ to BLE devices most of the time, it 's a
| different mechanism. And again this comes without encryption,
| but there's ways around that.
| anonacct37 wrote:
| Android has a BLE scanner app that can passively read info. I
| don't know enough about the protocol to know if that is the
| same thing you are referring to.
| adzm wrote:
| Do you know which app you are talking about?
| caseyf wrote:
| a fun BLE device that i have is a Furby Connect (2016)
|
| https://github.com/Jeija/bluefluff ("This project aims to reverse
| engineer / "hack" Furby Connect's Bluetooth Low Energy protocol,
| graphics and audio format and eventually find a way to execute
| own code on Furby")
| EvanAnderson wrote:
| How easy is it to put consumer BLE chipsets into a monitor mode?
| It sounds like it'd be fun to "wardrive" (more likely walking
| around) with a BLE "scanner".
| lyu07282 wrote:
| impossible afaik, but SDR's are so cheap and available now
| anyway..
| invalidator wrote:
| It's a piece of cake. BLE doesn't try to hide anything. Install
| "nRF Connect" on a mobile device and have fun.
___________________________________________________________________
(page generated 2024-01-09 23:00 UTC)