Fun with BLE - Command Line

hcitool & gatttool

Find all of the devices sending advertisements nearby:

$ sudo hcitool lescan
LE Scan ...
66:EA:DA:00:26:6F (unknown)
66:EA:DA:00:26:6F LUCI
10:0F:89:B2:80:F7 (unknown)
D0:26:0D:67:8A:60 (unknown)
EA:D8:D1:B3:07:11 (unknown)
CD:23:0A:64:87:5D (unknown)
CD:23:0A:64:87:5D (unknown)
66:EA:DA:00:0F:2B LUCI-66EADA000F2B
66:EA:DA:00:0F:2B (unknown)
C0:05:04:03:02:01 (unknown)

In this guide, we'll be looking at the MPOWERD Luci Connect light.

Once you've selected your target, you can check out all of the services:

$ sudo gatttool -b 66:EA:DA:00:0F:2B --primary
attr handle = 0x0001, end grp handle = 0x0009 uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle = 0x000c, end grp handle = 0x000f uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle = 0x0010, end grp handle = 0x0016 uuid: 0000180a-0000-1000-8000-00805f9b34fb
attr handle = 0x0017, end grp handle = 0x0024 uuid: 0000fef5-0000-1000-8000-00805f9b34fb
attr handle = 0x0025, end grp handle = 0x003a uuid: e4490001-60c7-4baa-818d-235695a2757f
attr handle = 0x003b, end grp handle = 0x003e uuid: 4179fd5d-ba39-4a8a-9305-dc1b3a493c41
attr handle = 0x003f, end grp handle = 0x0042 uuid: 00001805-0000-1000-8000-00805f9b34fb

And then the characteristics:

 $ sudo gatttool -b 66:EA:DA:00:0F:2B --characteristics
handle = 0x0002, char properties = 0x02, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb
handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb
handle = 0x0006, char properties = 0x0a, char value handle = 0x0007, uuid = 00002a02-0000-1000-8000-00805f9b34fb
handle = 0x0008, char properties = 0x02, char value handle = 0x0009, uuid = 00002a04-0000-1000-8000-00805f9b34fb
handle = 0x000d, char properties = 0x20, char value handle = 0x000e, uuid = 00002a05-0000-1000-8000-00805f9b34fb
handle = 0x0011, char properties = 0x02, char value handle = 0x0012, uuid = 00002a26-0000-1000-8000-00805f9b34fb
handle = 0x0013, char properties = 0x02, char value handle = 0x0014, uuid = 00002a28-0000-1000-8000-00805f9b34fb
handle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a50-0000-1000-8000-00805f9b34fb
handle = 0x0018, char properties = 0x0a, char value handle = 0x0019, uuid = 8082caa8-41a6-4021-91c6-56f9b954cc34
handle = 0x001a, char properties = 0x0a, char value handle = 0x001b, uuid = 724249f0-5ec3-4b5f-8804-42345af08651
handle = 0x001c, char properties = 0x02, char value handle = 0x001d, uuid = 6c53db25-47a1-45fe-a022-7c92fb334fd4
handle = 0x001e, char properties = 0x0a, char value handle = 0x001f, uuid = 9d84b9a3-000c-49d8-9183-855b673fda31
handle = 0x0020, char properties = 0x0e, char value handle = 0x0021, uuid = 457871e8-d516-4ca1-9116-57d0b17b9cb2
handle = 0x0022, char properties = 0x12, char value handle = 0x0023, uuid = 5f78df94-798c-46f5-990a-b3eb6a065c88
handle = 0x0026, char properties = 0x1a, char value handle = 0x0027, uuid = e4490002-60c7-4baa-818d-235695a2757f
handle = 0x0029, char properties = 0x1a, char value handle = 0x002a, uuid = e4490003-60c7-4baa-818d-235695a2757f
handle = 0x002c, char properties = 0x1a, char value handle = 0x002d, uuid = e4490004-60c7-4baa-818d-235695a2757f
handle = 0x002f, char properties = 0x1a, char value handle = 0x0030, uuid = e4490005-60c7-4baa-818d-235695a2757f
handle = 0x0032, char properties = 0x1a, char value handle = 0x0033, uuid = e4490006-60c7-4baa-818d-235695a2757f
handle = 0x0035, char properties = 0x1a, char value handle = 0x0036, uuid = e4490007-60c7-4baa-818d-235695a2757f
handle = 0x0038, char properties = 0x1a, char value handle = 0x0039, uuid = e4490008-60c7-4baa-818d-235695a2757f
handle = 0x003c, char properties = 0x12, char value handle = 0x003d, uuid = 7696f3b1-7a80-4788-ba55-3e8da28256f8
handle = 0x0040, char properties = 0x1a, char value handle = 0x0041, uuid = 00002a2b-0000-1000-8000-00805f9b34fb

And, we can see a list of the descriptors:

$ sudo gatttool -b 66:EA:DA:00:26:6F --char-desc
handle = 0x0001, uuid = 00002800-0000-1000-8000-00805f9b34fb
handle = 0x0002, uuid = 00002803-0000-1000-8000-00805f9b34fb
handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb
handle = 0x0004, uuid = 00002803-0000-1000-8000-00805f9b34fb
handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb
handle = 0x0006, uuid = 00002803-0000-1000-8000-00805f9b34fb
handle = 0x0007, uuid = 00002a02-0000-1000-8000-00805f9b34fb

Let's choose a characteristic and read it's value. 2a26 is the Device Information Firmware Revision String characteristic. The "short version" 4 characters are the 5th-8th bytes of the UUID. We can query this characteristic by using its "char value handle" - 0x0012 in this case. And, we can see our firmware version.

The characteristic output from gatttool can be confusing.

handle: This is the handle of the descriptor

char properties: This indicates the type of characteristic properties and is a bitfield. See table below

char value handle: This is the handle to use for the characteristic itself

uuid: this is the UUID associated with the characteristic

 $ sudo gatttool -b 66:EA:DA:00:26:6F --char-read -a 0x0012
Characteristic value/descriptor: 76 5f 31 2e 31 2e 33
 $ sudo gatttool -b 66:EA:DA:00:26:6F --char-read -a 0x0012 | cut -d":" -f2 | xxd -r -p && echo -e
v_1.1.3

Here we're using the handle to identify the characteristic. If we used gatttools '-I' option to enter Interactive Mode, we can read via the char's UUID with the 'char-read-uuid' command. Options.

Can we change the version? How do we write to the char?

 $ sudo gatttool -b 66:EA:DA:00:0F:2B --char-write-req -a 0x0012 -n v_1.0.1
Characteristic Write Request failed: Attribute can't be written

Nope. Let's try something else. I've been looking at this device for a while, and the app apk indicates that 02 indicates whether the device is awake and 03 controls the brightness. So, we can grep for the end part of the service UUID to find all characteristics that match and find the 02 and 03 chars.

 $ sudo gatttool -b 66:EA:DA:00:26:6F --characteristics  | grep -i 60C7-4BAA-818D-235695A2757F
handle = 0x0024, char properties = 0x0a, char value handle = 0x0025, uuid = e5440002-60c7-4baa-818d-235695a2757f
handle = 0x0026, char properties = 0x12, char value handle = 0x0027, uuid = e5440003-60c7-4baa-818d-235695a2757f
 $ sudo gatttool -b 66:EA:DA:00:26:6F --char-read -a 0x0025
Characteristic value/descriptor: 00 09 06 00 00 00
 $ sudo gatttool -b 66:EA:DA:00:26:6F --char-read -a 0x0027
Characteristic value/descriptor: 00 09 06 57 00 00

Looking at the output, it looks like there's some sort of 3 byte preamble (00 09 06) followed by a 3 byte value. If the 02 char is actually an awake indicator, maybe we can turn it on and off.

$ sudo gatttool -b 66:EA:DA:00:26:6F --char-write-req -a 0x0025 -n 000906000001
Characteristic value was written successfully
$ sudo gatttool -b 66:EA:DA:00:26:6F --char-read -a 0x0025
Characteristic value/descriptor: 00 09 06 00 00 01

Success. (disclaimer: This didn't actually turn off the light)

PreviousFun with BLE NextFun with BLE - python

Last updated 5 years ago

hashtaghcitool & gatttool

hcitool & gatttool