sniffing a laser tape

RE: sniffing a laser tape

erltot — Fri, 28 Jul 2017 08:51:13 GMT

@rogerclark Nice, thanks for sharing!

RE: sniffing a laser tape

Roger Clark — Thu, 27 Jul 2017 20:56:01 GMT

JADX is free and easy to use to decompile Android Apps.

https://github.com/skylot/jadx

RE: sniffing a laser tape

erltot — Thu, 27 Jul 2017 12:52:27 GMT

Ok great so I should be able to figure this out :)

RE: sniffing a laser tape

endnode — Thu, 27 Jul 2017 12:44:16 GMT

I always had better experience with nRF51 DK then dongle (dongle tend to overheat and also you cannot place it easily everywhere as it is typically plugged into laptop full of metal and electronics). There is one Q&A on this forum which provides unofficial port of sniffer FW for nRF52 DK but you have the system working so you might be fine for now.

RE: sniffing a laser tape

endnode — Thu, 27 Jul 2017 12:42:35 GMT

Second sniffer log is perfectly fine except there are no real measurement data exchanges. But you now have working set-up, it seems that devices are not using any security (at least not at this point) as all GATT methods visible in the log are in clear. I assume that measurement protocol will run as Notify or Read methods over one of dedicated proprietary Characteristic Value handles. Unpair the device from phone (if paired), erase BT cache on the phone if possible and try to capture very first encounter of these two devices (e.g. restart both to be sure you start form clear situation). And try to capture actual data exchange (but the rest is on you, I don't think you want us to reverse the protocol for you, do you?:)

RE: sniffing a laser tape

erltot — Thu, 27 Jul 2017 12:30:11 GMT

I tried again with the phone, sniffer and laser much closer and now I got one called CONNECT_REQ, i'll update question with the log. I see - I think disassembly java apps and sniffers for 20k USD are out of my scope at the moment :)

I am using the nrf dongle (PCA10031), but i have a nrf52 devkit (PCA10040) nrf52832 available as well

RE: sniffing a laser tape

endnode — Thu, 27 Jul 2017 12:21:52 GMT

From your sniffer log it's obvious that it missed the connection (assuming there was some, gap in timing after packet #46 suggests that). What nRF51 board are you using? Do you have all phone, sniffer and Bosh thing close together during experiments? Note that Nordic sniffer has some limitations in sensitivity and that people who do such tasks for living are using specialized and much more expensive tools like Frontline or Ellysis analyzers (1-20k USD).

RE: sniffing a laser tape

endnode — Thu, 27 Jul 2017 12:15:16 GMT

I guess Roger meant to disassemble Android app which is JAVA so it's fairly possible, there are well known techniques and even they use obfuscation it's usually possible to get through it - for decent hacker;)

RE: sniffing a laser tape

erltot — Thu, 27 Jul 2017 12:07:23 GMT

@endnode Updated the question with a wireshark log, i can't see any connect req but i'll try some more. It is BLE protocol - I can connect with the nRF Connect (ios) app and read services and characteristics (unknown + device information)

@Roger Clark I'm not familiar with app programming at all, I know android has some bluetooth logging functionality avaiable in debug mode - is this what you were thinking about?

RE: sniffing a laser tape

Roger Clark — Thu, 27 Jul 2017 10:53:12 GMT

An easier option is probably to reverse engineer the app

RE: sniffing a laser tape

endnode — Thu, 27 Jul 2017 09:52:52 GMT

That's hard to say based on your information. If you are sure that this device is using BLE protocol not classic BR/EDR and that you see the advertisement then it should be done. In the worst case you won't be able to decode PDU payload if you don't catch initial pairing&bonding procedure but if you have the chance then simply unbond the device in the phone and sniff that connection as well. If you don't see CONNECT_REQ and subsequent connection link packets then most probably sniffer missed that and you should repeat the test or place sniffer differently to limit packet loss.