Sniffing a Bosch laser tape 2

RE: Sniffing a Bosch laser tape 2

kosnick — Mon, 17 Apr 2023 07:55:08 GMT

Hi Sparkybert,

I am trying to apply your info on a GLM50C. And it seems to be working. Almost.

At the moment I able to send the request and the laser turns on and gets a value. According to Dainius G. post ("send the bytes twice").

However, I do not get a response back (including the measured value), unless I connect the device to the official application first (I connect the device with the app, I disconnect it and there it is... ).

I have turned on the indications on the characteristic but there is no hex with the measurement value. The moment I connect the device to the official app (MeasureOn) and disconnect it (even without taking any measurement), I am able to receive hex with the correct value.

By the way, it is the same when using nRF connect (in case you are not familiar, an android app to sniff bluetooth, but i assume it's the same as nRF sniffer you mentioned on your post).

( this following section might be irrelavent, but in any case ....

I tried sniffing the bluetooth with my android phone, and one thing to mention that might help is that as soon as the indication flag is set on the characteristic:

the official app sent write request, handle 0x001e with value c05502

the device rcvd write respons, handle 0x001e and then

the device rcvd handle value indication, handle 0x001e with value 001000

the official app sent handle value confiramation, handle 0x001e

)

Any help would be much appreciated.

Thanks.

RE: Sniffing a Bosch laser tape 2

Sparkybert — Wed, 10 Nov 2021 12:48:44 GMT

Hi run_ar,

thank you very much for your hint. You were absolutely right.
I checked my original manual again, which mentions TrackMyTools (TMT) briefly. The manual only says that you can turn it on or off in the settings and that there is a dedicated app for it. That's pretty much it.

Anyway, I turned TMT off in the device settings and tested again and it actually stopped advertising when the device is turned off.

Thanks again.

RE: Sniffing a Bosch laser tape 2

run_ar — Mon, 08 Nov 2021 20:24:24 GMT

Maybe you have enabled the "TrackMyTools" feature or something, which in case it would make sense to advertise while in "off" mode?

RE: Sniffing a Bosch laser tape 2

Sparkybert — Fri, 05 Nov 2021 20:41:39 GMT

Hi Dainius G,

thank you for the information. JADX sounds interesting. I might have a look at it in the future.

I tried to suppress advertising packets of the GLM120C using drastic measures, but to no success.
Good luck with your micro controller application.

RE: Sniffing a Bosch laser tape 2

Dainius G — Fri, 05 Nov 2021 18:27:50 GMT

Hi SparkyBert thanks for your help.
Yes I have figured out how data is sent back to the "master" device as a float value.

I have decompiled "Bosch MeasureON" android apk file using "JADX"https://github.com/skylot/jadx

https://www.dropbox.com/s/3xcvlzzflls3eky/Crc.PNG?dl=0
https://www.dropbox.com/s/x2gimzjl9at4388/MtBLE.PNG?dl=0
https://www.dropbox.com/s/x0x5j41wt9qxgzp/MtFrame.PNG?dl=0
https://www.dropbox.com/s/loe53yrf6579fnr/MtProtocol.PNG?dl=0

And there is tons of info on Bosch GLM100C measure tape connection protocols, crc calculation, both classic and BLE......

RE: Sniffing a Bosch laser tape 2

Sparkybert — Fri, 05 Nov 2021 12:34:39 GMT

I wanted to post a follow-up about the advertising data of the GLM120C.
It is alarming that you can not stop the GLM120C Bosch laser tape from advertising.
Even though Bluetooth is turned off in settings (it always falls back to bluetooth disabled when the device is turned on) and the device is turned off, it constantly advertises its PUBLIC address in an 8 second interval.
When the device is turned off, it advertises using ADV_NONCONN_IND, so you can not connect and turn it on remotely as I speculated in a previous post. The MAC address is registered to Texas Instruments, so it likely uses a Chipcon radio. The device has a built-in Lithium-Battery, so I see no way to prevent this device from being trackable 24/7 (unless you make a cute little tin-foil hat for your laser tape). In terms of privacy, this is kind of alarming. I wonder if Bosch makes all their BLE connectable tools 24/7 trackable and how Bosch apps communicate the gathered device and location data with their servers.

RE: Sniffing a Bosch laser tape 2

Sparkybert — Fri, 05 Nov 2021 12:30:28 GMT

Since I got an nRF sniffer and I am interested in Bluetooth LE I took a peek at the communication of the Bosch GLM120C and figured how the measurement data can be acquired.

As Dainius G mentioned before, performing a write access using the hex byte sequence c0 56 01 00 1e to characteristic
[UUID: 02a6c0d104514000b000fb3210111989]
in
[Service UUID: 02a6c0d004514000b000fb3210111989]
starts the laser. The device will then generate two indications (have to be enabled) on the characteristic. It seems the value data in the first two indications after firing up the laser can be ignored.

When the laser is on and the same byte sequence is written to the characteristic again, as metioned above, the laser is turned off and two more indications are generated on the characteristic we performed the write access on.
The first indication contains the byte sequence:
Value: 000082
It seems this data is not interesting. Right after confirmation of the indication, another indication will be generated for the same characteristic - this one contains the measurement data.

This is the relevant indication value data from the GLM120C (aka GLM400C in the US) I acquired using nRF Sniffer with Wireshark (both are great tools!):

Bluetooth Attribute Protocol
    Opcode: Handle Value Indication (0x1d)
    Handle: 0x001e (Unknown: Unknown)
        [Service UUID: 02a6c0d004514000b000fb3210111989]
        [UUID: 02a6c0d104514000b000fb3210111989]
    Value: c0551006XXXXXX2c439c3e000000000000000036

the value bytes XXXXXX above have been redacted - they might contain personal information (unlikely, but still).

Supposed meaning of the second indication value data by index/offset (most of it is speculation, but I am certain about the the actual measurement data):

0x00 - 0x01: 0xC0 0x55 Header (speculation)
0x02: 0x10 Length (speculation) This seems to be the number of the following bytes before the supposed 8-Bit CRC in the packet.
0x03: This byte had the value 0x06 so far, when there was non-zero (valid?) measurement data. Otherwise, when the laser was just started and measurement data was zero / invalid, this byte was 0x02 in my attempts.
0x04 - 0x06:??
0x07 - 0x0A: 32-bit floating point value (IEEE-754, little endian) representing the measured length in meters. In the example above case the byte sequence is 2C 43 9C 3E. The laser tape showed 0.305 meters when I did the measurement. Given that this is little endian, we reverse the byte order 0x3E9C432C and can feed it to an online converter (like this one):
https://www.h-schmidt.net/FloatConverter/IEEE754.html
0x3E9C432C gives a measurement of 0.305199980736
I did a few attempts with different distances and the result always matched the reading on the display of the GLM120C.
0x0B - 0x12: ?? These bytes have always been 0x00 in my case.
0x0C: CRC/Checksum?? Seems to be some additional non-standard 8-Bit CRC / Checksum. Can be ignored (BLE has its own CRC anyway).

There's a good chance that the same service is used on other Bosch laser tapes like the GLM50C.
Maybe this helps.

RE: Sniffing a Bosch laser tape 2

Sparkybert — Wed, 27 Oct 2021 14:27:52 GMT

Hi Dainius G,

your post was quite interesting. I scanned for BLE devices in my house and realized that there was a device with the 128 bit UUID you described here. I couldn't make out what it was until I found the service number in your post.

Thanks to you, I figured that my Bosch GLM120C is advertising ALTHOUGH IT IS TURNED OFF (advertising interval is 8 seconds)!! The only scenario I see, where this could make sense, is if you could (fully) turn on the GLM120C remotely via BLE.
I never notived a feature in the Bosch Measuring Master app, that would allow that. Anyway, there might be some hidden features (or bad design decisions).

Another thing I noticed is, that Bosch does not seem to do advertising manufacturer specific data (0xFF) in the right way. They seem to violate the standard and skip the mandatory 16 bit company identifier (0x02A6 for Robert Bosch GmbH) and send their data - the 48 bit BLE address - right away. There is an additional byte in the manufacturer specific data after the 48 bit address, which is 0x00 in my case.

I probably won't look deeper into the communication of the GLM120C. Anyway, good luck!

Regards,
Sparkybert

RE: Sniffing a Bosch laser tape 2

run_ar — Tue, 19 Oct 2021 07:37:15 GMT

Hi,

I am afraid we cannot help reverse engineering the custom protocol that the bosch laser is using...