For a university research projec,t I tried to pair the Raspberry Pi 3 with a Mikroelektronika Hexiwear using BLE (Bluetooth Low Energy). Most everything worked after a lot of trial and error, but at a certain point, I was stuck trying to write and send data from the Raspy to the BLE device. The Hexiwear BLE protocol description is very thin, so I ended up using a BLE sniffer to reverse engineer the protocol with Wireshark.

Hardware setup between Raspy and Hexiwear

In this article, I describe the needed steps to record and analyze BLE communication packets with the Adafruit Bluefruit LE Sniffer and Wireshark. While I’m using a Raspberry Pi, with the Hexiwear, the steps could be easily applied to any BLE communication. As a special point, I’m sniffing a connection with authentication between the Raspberry Pi and the Hexiwear.

Wireshark is an open source packet-sniffing program for all kinds of protocols and packets. With Wireshark, I can collect and analyze the BLE packets:

BLE packet in Wireshark

The Adafruit Bluefruit LE Sniffer is a small dongle with serial interface featuring a Nordic Semiconductor nRF51822 BLE module (MDBT40). Adafruit has a module available with a sniffer firmware preloaded.

Active sniffing connection

Adafruit BLE Sniffing Hardware

Installation

Follow the steps described here. I’m using the following:

1. FTDI driver for the FT231X on the sniffer: FTDI Driver Download Page.
2. Nordic Sniffer application (sorry, Windows only): http://www.nordicsemi.com/eng/Products/Bluetooth-low-energy/nRF-Sniffer.
   For Mac OS X and Linux, see the Adafruit page using the Python API.
3. Wireshark Version 1.12.10. It is important to use exactly that version, as other versions might not work. The version 1.12.10 can be found here: https://www.wireshark.org/download/win32/all-versions/ (32bit) and https://www.wireshark.org/download/win64/all-versions/ (64bit)

I’m using the following version of the Nordic Sniffer Software:

Nordic semiconductor sniffer software

This is the version information of the Wireshark version I’m using:

Verify that the FTDI serial driver is installed and the sniffer board is recognized:

FTDI serial driver installed in Windows

In order to be able to sniff an encrypted/authenticated connection, it is important to keep the following steps in exact the order presented!

Run the Nordic sniffer application (in my case: ble-sniffer_win_1.0.1_1111_Sniffer.exe):

Nordic BLE sniffer application

IMPORTANT: The sniffer will report “!!Your firmware is outdated!!”. Do NOT update the firmware!

After a while, the Hexiwear should show up. At that point, start Wireshark by pressing the ‘w’ key in the sniffer:

Whireshark started from the BLE sniffer

In the sniffer program, select the Hexiwear device from the list (‘0’ in my case):

Next, start the pairing to the device (see “Tutorial: BLE Pairing the Raspberry Pi 3 Model B with Hexiwear” to see how to do this from a Raspberry Pi/Linux with Bluez): A pairing code will show up on the device:

Enter that code first in the sniffer program. For this, enter ‘p’ followed by the passkey.

Then enter that code on the device that initiated the pairing (e.g. the Raspberry Pi):

Note that this needs to happen rather fast, as otherwise the pairing will run into a timeout. You might need to try this several times until the sequence works.

With this, the sniffer program and Wireshark can listen to the encrypted data packets.

Filtering Packets

In Wireshark, there are many 'empty PDU' packets sniffed. The Master (Raspberry Pi in my case) needs to poll the slave, and this results in many empty packets. As I’m not interested in these empty packets, I can filter them out. To do that, unfold a data header, drill down to the data header length, and apply a filter as ‘not selected’:

Filtering out empty packets

This removes all the empty PDU packets with a filter:

Now I can see into the Wireshark the packets. This is very useful for reverse engineering the protocol, especially, as in the case of the Hexiwear, the protocol is not very well documented. For example in “Tutorial: BLE Pairing the Raspberry Pi 3 Model B with Hexiwear” I wanted to write the date/time to the Hexiwear device, but always failed. With Wireshark and the BLE sniffer, I was able to record the data packets sent between the mobile phone application and the Hexiwear to set the date/time:

Writing date/time

The sniffer shows that the following data is written with a write-request on handle 0x61:

03 04 22e65a58 0000000000000000000000000000

The 0x03 is the command for writing date/time, followed by 0x04 with the length of the following time (seconds since 1970): 0x585ae622 (data is sent in little-endian).

0x585ae622 (or 1482352162) is 21-Dec-2016 20:29:00 (see http://www.epochconverter.com/) which indeed is what showed up on the Hexiwear.

With this knowledge, I was able to replicate this from the Raspberry Pi:

char-write-req 61 030422e65a580000000000000000000000000000

Summary

Sometimes it is all about the right tools. Just like having a logic analyzer to see what is going on with a wired bus like SPI or I²C, a packet sniffer is incredibly valuable to understand a wireless protocol. With the help of the Adafruit Bluefuit LE Sniffer and Wireshark, I’m now able to inspect and see the encrypted packets exchanged between a Hexiwear and a Raspberry Pi and reverse engineer the protocol used.

Happy sniffing!

Links

• Wireshark: https://en.wikipedia.org/wiki/Wireshark.
• Wireshark versions: https://www.wireshark.org/download/win32/all-versions/  and https://www.wireshark.org/download/win64/all-versions/.
• Adafruit Bluefruit LE Sniffer: https://www.adafruit.com/product/2269.
• Paring Hexiwear with Raspberry Pi: Tutorial: BLE Pairing the Raspberry Pi 3 Model B with Hexiwear.