Categories

  • GSoC
  • Debian

Tags

  • bluetooth, BLE, reverse-engineering, GSoC

This year I had the opportunity to participate in the Google Summer of Code 2018 within the Debian organization. The project topic was the reverse engineering of Bluetooth Low Energy devices (at the level of “what data are sent and received during the communication”).

I wrote a rather general guide (not related to a single test device) on how to do this type of activity. In addition, I’ve created some scripts (and a deb package) to use the EQ3 Eqiva radiator valves without their Android/iOS application.

Here is a brief summary and some references to what has been produced.

Reverse Engineering Guide

The guide is available at this address.

Basically, it explains:

  • BLE operation principles and differences compared to the classic Bluetooth
  • how to do Logging on Android with the aim of observing the data exchanged
  • how to analyze an Android application to better interpret the data identified
  • Bluez stack tools, used to communicate via Bluetooth on GNU/Linux systems
  • examples of scripts working on real devices

This guide would like to be an evolving project, in which to gather information on reverse engineering techniques and to make available works already done in this area. Take a look at the Contributions page!

EQ3 Eqiva Scripts

eq3 eqiva
EQ3 Eqiva (source)

I created a deb package that provides a tool to send commands and receive notifications from the EQ3 Eqiva radiator valves. Once installed, run the eq3eqiva command to get an overview of the available features.

Other utilities:

Laica PS7002 Scripts

laica ps7002
Laica PS7002 (source)

I also did a partial reverse engineering of the protocol used by the smart BLE scale Laica PS7002. Although I only managed to read the weight (despite the various functions), the work has been included in this guide because it shows aspects that have not been dealt within other sections.

Utilities: