Sniffing a Bosch laser tape 2

Hi,

I am afraid we cannot help reverse engineering the custom protocol that the bosch laser is using...

Hi Dainius G,

your post was quite interesting. I scanned for BLE devices in my house and realized that there was a device with the 128 bit UUID you described here. I couldn't make out what it was until I found the service number in your post.

Thanks to you, I figured that my Bosch GLM120C is advertising ALTHOUGH IT IS TURNED OFF (advertising interval is 8 seconds)!! The only scenario I see, where this could make sense, is if you could (fully) turn on the GLM120C remotely via BLE.
I never notived a feature in the Bosch Measuring Master app, that would allow that. Anyway, there might be some hidden features (or bad design decisions).

Another thing I noticed is, that Bosch does not seem to do advertising manufacturer specific data (0xFF) in the right way. They seem to violate the standard and skip the mandatory 16 bit company identifier (0x02A6 for Robert Bosch GmbH) and send their data - the 48 bit BLE address - right away. There is an additional byte in the manufacturer specific data after the 48 bit address, which is 0x00 in my case.

I probably won't look deeper into the communication of the GLM120C. Anyway, good luck!

Regards,
Sparkybert

Since I got an nRF sniffer and I am interested in Bluetooth LE I took a peek at the communication of the Bosch GLM120C and figured how the measurement data can be acquired.

As Dainius G mentioned before, performing a write access using the hex byte sequence c0 56 01 00 1e to characteristic
[UUID: 02a6c0d104514000b000fb3210111989]
in
[Service UUID: 02a6c0d004514000b000fb3210111989]
starts the laser. The device will then generate two indications (have to be enabled) on the characteristic. It seems the value data in the first two indications after firing up the laser can be ignored.

When the laser is on and the same byte sequence is written to the characteristic again, as metioned above, the laser is turned off and two more indications are generated on the characteristic we performed the write access on.
The first indication contains the byte sequence:
Value: 000082
It seems this data is not interesting. Right after confirmation of the indication, another indication will be generated for the same characteristic - this one contains the measurement data.

This is the relevant indication value data from the GLM120C (aka GLM400C in the US) I acquired using nRF Sniffer with Wireshark (both are great tools!):

Bluetooth Attribute Protocol
    Opcode: Handle Value Indication (0x1d)
    Handle: 0x001e (Unknown: Unknown)
        [Service UUID: 02a6c0d004514000b000fb3210111989]
        [UUID: 02a6c0d104514000b000fb3210111989]
    Value: c0551006XXXXXX2c439c3e000000000000000036

the value bytes XXXXXX above have been redacted - they might contain personal information (unlikely, but still).

Supposed meaning of the second indication value data by index/offset (most of it is speculation, but I am certain about the the actual measurement data):

0x00 - 0x01: 0xC0 0x55  Header (speculation)
0x02: 0x10 Length (speculation) This seems to be the number of the following bytes before the supposed 8-Bit CRC in the packet.
0x03: This byte had the value 0x06 so far, when there was non-zero (valid?) measurement data. Otherwise, when the laser was just started and measurement data was zero / invalid, this byte was 0x02 in my attempts.
0x04 - 0x06:??
0x07 - 0x0A: 32-bit floating point value (IEEE-754, little endian) representing the measured length in meters. In the example above case the byte sequence is 2C 43 9C 3E. The laser tape showed 0.305 meters when I did the measurement. Given that this is little endian, we reverse the byte order 0x3E9C432C and can feed it to an online converter (like this one):
https://www.h-schmidt.net/FloatConverter/IEEE754.html
0x3E9C432C gives a measurement of 0.305199980736
I did a few attempts with different distances and the result always matched the reading on the display of the GLM120C.
0x0B - 0x12: ?? These bytes have always been 0x00 in my case.
0x0C: CRC/Checksum?? Seems to be some additional non-standard 8-Bit CRC / Checksum. Can be ignored (BLE has its own CRC anyway).

There's a good chance that the same service is used on other Bosch laser tapes like the GLM50C.
Maybe this helps.

I wanted to post a follow-up about the advertising data of the GLM120C.
It is alarming that you can not stop the GLM120C Bosch laser tape from advertising.
Even though Bluetooth is turned off in settings (it always falls back to bluetooth disabled when the device is turned on) and the device is turned off, it constantly advertises its PUBLIC address in an 8 second interval.
When the device is turned off, it advertises using ADV_NONCONN_IND, so you can not connect and turn it on remotely as I speculated in a previous post. The MAC address is registered to Texas Instruments, so it likely uses a Chipcon radio. The device has a built-in Lithium-Battery, so I see no way to prevent this device from being trackable 24/7 (unless you make a cute little tin-foil hat for your laser tape). In terms of privacy, this is kind of alarming. I wonder if Bosch makes all their BLE connectable tools 24/7 trackable and how Bosch apps communicate the gathered device and location data with their servers.

Hi SparkyBert thanks for your help.
Yes I have figured out how data is sent back to the "master" device as a float value.

I have decompiled "Bosch MeasureON" android apk file using "JADX"https://github.com/skylot/jadx

https://www.dropbox.com/s/3xcvlzzflls3eky/Crc.PNG?dl=0
https://www.dropbox.com/s/x2gimzjl9at4388/MtBLE.PNG?dl=0
https://www.dropbox.com/s/x0x5j41wt9qxgzp/MtFrame.PNG?dl=0
https://www.dropbox.com/s/loe53yrf6579fnr/MtProtocol.PNG?dl=0

And there is tons of info on Bosch GLM100C measure tape connection protocols, crc calculation, both classic and BLE......