Reverse Engineering BLE Devices

The following documentation is intended as a guide to reverse engineering of BLE (Bluetooth Low Energy) devices. The idea is to provide information about BLE, how to identify the protocol used by the devices and how to create shell scripts to communicate with them.

To do this, the guide is based on examples applied to devices currently on the market. As explained in the Contributions section, this document would like to be an evolving project, in which to gather information on reverse engineering techniques and to make available works already done in this area.

Notes (GSoC 2018)

This guide comes from a project of GSoC 2018 and takes as a starting point a work done on radiator valves. These systems have become increasingly important in recent years, especially in some countries where they have been made mandatory by law. This led to the production of various models programmable using a smartphone application coupled with the BLE protocol. At the moment all the products on the market use proprietary communication protocols to exchange essential data with the application, making it difficult to integrate this devices into external open-source projects. For this reason the University of Milan has successfully reverse-engineered a protocol and released the necessary code to use it with a GPL license. An English translation of the code can be found here.

The project aims to use what has already been produced to:

  • write a reverse-engineering guide for BLE devices as general as possible
  • design a mechanical device to test the valves without a radiator
  • port the library to a more modern language in an attempt to integrate it into projects such as openhab or home-assistant and create a Debian package

Here is available a detailed description of the deliverables and the time schedule and here is a brief weekly report.