Location Trackers

These little beacons are all over large department stores. They have low processing power, and are generally not network connected. They provide information about where shoppers are in the store, integrate with apps to show shoppers where to find products, count shopper metrics, and more.

Let's scan an estimote beacon with NRF Connect and read all characteristics.

V	10:40:13.668	Connecting to DB:09:98:7B:10:58...
D	10:40:13.668	gatt = device.connectGatt(autoConnect = false, TRANSPORT_LE, preferred PHY = LE 1M)
D	10:40:15.429	[Server callback] Connection state changed with status: 0 and new state: CONNECTED (2)
I	10:40:15.429	[Server] Device with address DB:09:98:7B:10:58 connected
D	10:40:15.456	[Callback] Connection state changed with status: 0 and new state: CONNECTED (2)
I	10:40:15.456	Connected to DB:09:98:7B:10:58
V	10:40:15.464	Discovering services...
D	10:40:15.464	gatt.discoverServices()
I	10:40:15.878	Connection parameters updated (interval: 7.5ms, latency: 0, timeout: 5000ms)
D	10:40:16.226	[Callback] Services discovered with status: 0
I	10:40:16.226	Services discovered
V	10:40:16.235	Generic Access (0x1800)
- Device Name [R] (0x2A00)
- Appearance [R] (0x2A01)
- Peripheral Preferred Connection Parameters [R] (0x2A04)
Generic Attribute (0x1801)
- Service Changed [I] (0x2A05)
   Client Characteristic Configuration (0x2902)
Unknown Service (6c372000-d2cc-11e4-9a1f-0002a5d5c51b)
- Unknown Characteristic [WNR] (6c372001-d2cc-11e4-9a1f-0002a5d5c51b)
- Unknown Characteristic [N W] (6c372002-d2cc-11e4-9a1f-0002a5d5c51b)
   Client Characteristic Configuration (0x2902)
- Unknown Characteristic [R] (6c372004-d2cc-11e4-9a1f-0002a5d5c51b)
Unknown Service (6c371000-d2cc-11e4-9a1f-0002a5d5c51b)
- Unknown Characteristic [N] (6c371002-d2cc-11e4-9a1f-0002a5d5c51b)
   Client Characteristic Configuration (0x2902)
- Unknown Characteristic [W WNR] (6c371001-d2cc-11e4-9a1f-0002a5d5c51b)
D	10:40:16.235	gatt.setCharacteristicNotification(00002a05-0000-1000-8000-00805f9b34fb, true)
D	10:40:16.237	gatt.setCharacteristicNotification(6c372002-d2cc-11e4-9a1f-0002a5d5c51b, true)
D	10:40:16.237	gatt.setCharacteristicNotification(6c371002-d2cc-11e4-9a1f-0002a5d5c51b, true)
I	10:40:16.326	Connection parameters updated (interval: 45.0ms, latency: 0, timeout: 5000ms)
V	10:40:18.902	Reading all characteristics...
V	10:40:18.902	Reading characteristic 00002a00-0000-1000-8000-00805f9b34fb
D	10:40:18.902	gatt.readCharacteristic(00002a00-0000-1000-8000-00805f9b34fb)
I	10:40:19.027	Read Response received from 00002a00-0000-1000-8000-00805f9b34fb, value: (0x) 65-73-74-69-6D-6F-74-65, "estimote"
A	10:40:19.027	"estimote" received
V	10:40:19.035	Reading characteristic 00002a01-0000-1000-8000-00805f9b34fb
D	10:40:19.035	gatt.readCharacteristic(00002a01-0000-1000-8000-00805f9b34fb)
I	10:40:19.120	Read Response received from 00002a01-0000-1000-8000-00805f9b34fb, value: (0x) 00-00
A	10:40:19.120	"[0] Unknown" received
V	10:40:19.125	Reading characteristic 00002a04-0000-1000-8000-00805f9b34fb
D	10:40:19.125	gatt.readCharacteristic(00002a04-0000-1000-8000-00805f9b34fb)
I	10:40:19.208	Read Response received from 00002a04-0000-1000-8000-00805f9b34fb, value: (0x) 80-00-A0-00-00-00-F4-01
A	10:40:19.208	"Connection Interval: 160.00ms - 200.00ms,
Slave Latency: 0,
Supervision Timeout Multiplier: 500" received
V	10:40:19.216	Reading characteristic 6c372004-d2cc-11e4-9a1f-0002a5d5c51b
D	10:40:19.216	gatt.readCharacteristic(6c372004-d2cc-11e4-9a1f-0002a5d5c51b)
I	10:40:19.297	Read Response received from 6c372004-d2cc-11e4-9a1f-0002a5d5c51b, value: (0x) 01-00
A	10:40:19.297	"(0x) 01-00" received
V	10:40:19.303	4 characteristics read
D	10:40:25.316	[Server callback] Connection state changed with status: 0 and new state: DISCONNECTED (0)
D	10:40:25.316	[Callback] Connection state changed with status: 19 and new state: DISCONNECTED (0)
I	10:40:25.316	[Server] Device disconnected
W	10:40:25.316	Connection terminated by peer (status 19)
I	10:40:25.316	Disconnected

Neat. We've got a basic name and a few interesting characteristics that don't provide much info on a read.

Quite a bit more happens when we open the estimote app:

Can we find any of this information in the NRF Connect debug log? Luckily NRF connect prompts us to debug the connection when it senses that the app is trying to connect.

Click "Yes and open" to see what's happening live in NRF Connect

Oh look! 34-2E-36-2E-31-6E-75. That looks a whole lot like a 4.6.1 version! 0x2E is hex for ascii period, 0x34 == 4, 0x36 == 6, 0x31 == 1. The 0x6E & 0x75 that follow may be significant or they may not. They translate as 'nu' in ascii. Let's see if we find anything about them later on.

Right after, we find a read response that matches the hardware version: F2.3

So, we know that the characteristic that estimote uses for software version is:

6c371002-d2cc-11e4-9a1f-0002a5d5c51b

and the characteristic used for hardware version:

6c371002-d2cc-11e4-9a1f-0002a5d5c51b

What's that you say? Those are the same UUID? Wow, I almost missed that. The app looks like it enables notifications on that char and then utilizes the responses sequentially. This makes it easy to pair up what we see from the responses with what we see in the app. Brilliant. The 00-02-00-00 and 00-03-00-00 are most likely indicators of the type of value. We could reverse the app to find out more. See section BLE & Android for more.

Let's try flipping the "Enable Accelerometer" toggle in the app.

TODO: remove the below, only use for snippets.

PreviousDevice CategoriesNextRideshare Beacon

Last updated

Was this helpful?