RE: Sniffing Pairing Process between Fan Unit and Mobile App

Vidar Berg — Tue, 20 Jun 2023 12:17:14 GMT

Hi Spence,

The sniffer trace shows that there is no pairing or encryption of the link, only service discovery and some read/write exchanges to the characteristics. This may be a good thing as it should make interfacing with the device easier.

Unfortunately, I'm not sure how to decode the write commands that are being sent. My only suggestion is to try send multiple commands from the vendor app and see if you can notice any patterns.

Best regards,

Vidar

RE: Sniffing Pairing Process between Fan Unit and Mobile App

spencerwebb — Mon, 19 Jun 2023 18:45:10 GMT

devzone.nordicsemi.com/.../MEV_5F00_with_5F00_pairing.pcapng

RE: Sniffing Pairing Process between Fan Unit and Mobile App

spencerwebb — Mon, 19 Jun 2023 17:54:19 GMT

Hi Vidar,

thanks for getting back to me. I've managed to capture the paring process using wireshark, Once connected, the same capture shows me changing the fan settings. Whilst I can see a lot of the things expected I'm really struggling to decipher how the paring process is completed between the mobile app and fan. I can connect to the fan from my Raspberry PI and can view many GATT characteristics but none of the values seems to change when I change them via the app and then move back to the linux terminal. I've also tried writing to the attributes using the values from the wireshark capture which doesn't fail, however the fan settings remain unchanged.

Here are the GATT attributes that I can see via the PI for the fan (70:B3:D5:68:7B:45) I've been able to decode some values such as the name/firmware etc.. but am struggling to make sense of anything else. I will also share the wireshark capture on the off chance that someone is able to help me understand.

Many Thanks

Spence

[70:B3:D5:68:7B:45][LE]> primary
attr handle: 0x0001, end grp handle: 0x0004 uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle: 0x0005, end grp handle: 0x000b uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle: 0x000c, end grp handle: 0x0016 uuid: 0000180a-0000-1000-8000-00805f9b34fb
attr handle: 0x001b, end grp handle: 0x001d uuid: e6ec2fd8-e888-4eb2-9680-e78ed6ea89e1
attr handle: 0x001e, end grp handle: 0x0026 uuid: e6834e4b-7b3a-48e6-91e4-f1d005f564d3
attr handle: 0x002a, end grp handle: 0x002e uuid: c119e858-0531-4681-9674-5a11f0e53bb4

[70:B3:D5:68:7B:45][LE]> char-desc 2 2d
handle: 0x0002, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0004, uuid: 00002902-0000-1000-8000-00805f9b34fb
handle: 0x0005, uuid: 00002800-0000-1000-8000-00805f9b34fb
handle: 0x0006, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0007, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x0008, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0009, uuid: 00002a01-0000-1000-8000-00805f9b34fb
handle: 0x000a, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x000b, uuid: 00002a04-0000-1000-8000-00805f9b34fb
handle: 0x000c, uuid: 00002800-0000-1000-8000-00805f9b34fb
handle: 0x000d, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x000e, uuid: 00002a29-0000-1000-8000-00805f9b34fb
handle: 0x000f, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0010, uuid: 00002a26-0000-1000-8000-00805f9b34fb
handle: 0x0011, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0012, uuid: 00002a27-0000-1000-8000-00805f9b34fb
handle: 0x0013, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0014, uuid: 00002a28-0000-1000-8000-00805f9b34fb
handle: 0x0015, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0016, uuid: 00002a24-0000-1000-8000-00805f9b34fb
handle: 0x001b, uuid: 00002800-0000-1000-8000-00805f9b34fb
handle: 0x001c, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x001d, uuid: e6ec2fd8-e888-4eb2-9681-e78ed6ea89e1
handle: 0x001e, uuid: 00002800-0000-1000-8000-00805f9b34fb
handle: 0x001f, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0020, uuid: 4cad343a-209a-40b7-b911-4d9b3df569b2
handle: 0x0021, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0022, uuid: d1ae6b70-ee12-4f6d-b166-d2063dcaffe1
handle: 0x0023, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0024, uuid: 638ff62c-3823-4e0f-8179-1695c46ee8af
handle: 0x0025, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x0026, uuid: b85fa07a-9382-4838-871c-81d045dcc2ff
handle: 0x002a, uuid: 00002800-0000-1000-8000-00805f9b34fb
handle: 0x002b, uuid: 00002803-0000-1000-8000-00805f9b34fb
handle: 0x002c, uuid: 7c4adc0d-2f33-11e7-93ae-92361f002671
handle: 0x002d, uuid: 00002803-0000-1000-8000-00805f9b34fb


[70:B3:D5:68:7B:45][LE]> char-read-hnd 2
Characteristic value/descriptor: 20 03 00 05 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd 3
Error: Characteristic value/descriptor read failed: Attribute can't be read
[70:B3:D5:68:7B:45][LE]> char-read-hnd 4
Characteristic value/descriptor: 00 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd 5
Characteristic value/descriptor: 00 18
[70:B3:D5:68:7B:45][LE]> char-read-hnd 6
Characteristic value/descriptor: 4e 07 00 00 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd 7
Characteristic value/descriptor: 4d 45 56
[70:B3:D5:68:7B:45][LE]> char-read-hnd 8
Characteristic value/descriptor: 4e 09 00 01 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd 9
Characteristic value/descriptor: 00 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd a
Characteristic value/descriptor: 02 0b 00 04 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd b
Characteristic value/descriptor: ff ff ff ff 00 00 ff ff
[70:B3:D5:68:7B:45][LE]> char-read-hnd c
Characteristic value/descriptor: 0a 18
[70:B3:D5:68:7B:45][LE]> char-read-hnd d
Characteristic value/descriptor: 02 0e 00 29 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd e
Characteristic value/descriptor: 4d 45 56
[70:B3:D5:68:7B:45][LE]> char-read-hnd f
Characteristic value/descriptor: 02 10 00 26 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd 10
Characteristic value/descriptor: 32 2e 30 33 2e 30 30
[70:B3:D5:68:7B:45][LE]> char-read-hnd 13
Characteristic value/descriptor: 02 14 00 28 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd 14
Characteristic value/descriptor: 30 31 2e 30 30
[70:B3:D5:68:7B:45][LE]> char-read-hnd 15
Characteristic value/descriptor: 02 16 00 24 2a
[70:B3:D5:68:7B:45][LE]> char-read-hnd 16
Characteristic value/descriptor: 09
[70:B3:D5:68:7B:45][LE]> char-read-hnd 1b
Characteristic value/descriptor: e1 89 ea d6 8e e7 80 96 b2 4e 88 e8 d8 2f ec e6
[70:B3:D5:68:7B:45][LE]> char-read-hnd 1c
Characteristic value/descriptor: 0e 1d 00 e1 89 ea d6 8e e7 81 96 b2 4e 88 e8 d8 2f ec e6
[70:B3:D5:68:7B:45][LE]> char-read-hnd 1
Characteristic value/descriptor: 01 18
[70:B3:D5:68:7B:45][LE]> char-read-hnd 1d
Characteristic value/descriptor: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd 1e
Characteristic value/descriptor: d3 64 f5 05 d0 f1 e4 91 e6 48 3a 7b 4b 4e 83 e6
[70:B3:D5:68:7B:45][LE]> char-read-hnd 1f
Characteristic value/descriptor: 0a 20 00 b2 69 f5 3d 9b 4d 11 b9 b7 40 9a 20 3a 34 ad 4c
[70:B3:D5:68:7B:45][LE]> char-read-hnd 20
Characteristic value/descriptor: 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd 21
Characteristic value/descriptor: 02 22 00 e1 ff ca 3d 06 d2 66 b1 6d 4f 12 ee 70 6b ae d1
[70:B3:D5:68:7B:45][LE]> char-read-hnd 22
Characteristic value/descriptor: 00 00 00 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd 23
Characteristic value/descriptor: 02 24 00 af e8 6e c4 95 16 79 81 0f 4e 23 38 2c f6 8f 63
[70:B3:D5:68:7B:45][LE]> char-read-hnd 24
Characteristic value/descriptor: 00 00 00 00 00 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd 25
Characteristic value/descriptor: 0a 26 00 ff c2 dc 45 d0 81 1c 87 38 48 82 93 7a a0 5f b8
[70:B3:D5:68:7B:45][LE]> char-read-hnd 26
Characteristic value/descriptor: 4d 45 56 20 43 6f 6e 74 72 6f 6c 20 55 6e 69 74 00 00 00 00 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd 2a
Characteristic value/descriptor: b4 3b e5 f0 11 5a 74 96 81 46 31 05 58 e8 19 c1
[70:B3:D5:68:7B:45][LE]> char-read-hnd 2b
Characteristic value/descriptor: 02 2c 00 71 26 00 1f 36 92 ae 93 e7 11 33 2f 0d dc 4a 7c
[70:B3:D5:68:7B:45][LE]> char-read-hnd 2c
Characteristic value/descriptor: 0a 00 00 00
[70:B3:D5:68:7B:45][LE]> char-read-hnd 2d
Characteristic value/descriptor: 02 2e 00 71 26 00 1f 36 92 ae 93 e7 11 33 2f 0e dc 4a 7c

RE: Sniffing Pairing Process between Fan Unit and Mobile App

Vidar Berg — Wed, 07 Jun 2023 13:06:39 GMT

Hi Spence,

I'm not familiar with this particular device, but it should be possible to sniff the communication as long as it is not using 'LE Secure Connection pairing' with diffie-hellman key exchange for the pairing procedure.

Instructions on how to use our the nRF52840 Dongle as a Bluetooth sniffer can be found here: nRF Sniffer for Bluetooth LE. If this does not work, then I suggest you use the nRF connect app and see if you can guess the commands to interface with the fan.

Best regards,

Vidar