This year I had the opportunity to participate in the Google Summer of Code 2018 within the Debian organization. The project topic was the reverse engineering of Bluetooth Low Energy devices (at the level of “what data are sent and received during the communication”).
I wrote a rather general guide (not related to a single test device) on how to do this type of activity. In addition, I’ve created some scripts (and a deb package) to use the EQ3 Eqiva radiator valves without their Android/iOS application.
Here is a brief summary and some references to what has been produced.
Reverse Engineering Guide
The guide is available at this address.
Basically, it explains:
- BLE operation principles and differences compared to the classic Bluetooth
- how to do Logging on Android with the aim of observing the data exchanged
- how to analyze an Android application to better interpret the data identified
- Bluez stack tools, used to communicate via Bluetooth on GNU/Linux systems
- examples of scripts working on real devices
This guide would like to be an evolving project, in which to gather information on reverse engineering techniques and to make available works already done in this area. Take a look at the Contributions page!
EQ3 Eqiva Scripts
I created a deb package that provides a tool to send commands and
receive notifications from the EQ3 Eqiva radiator valves. Once installed, run the
eq3eqiva command to get an overview of the available features.
- Protocol description
- Individual scripts:
Their documentation is included in the previous guide.
It consists of two sections: Single Valve Management and Multiple Valve Management.
Laica PS7002 Scripts
I also did a partial reverse engineering of the protocol used by the smart BLE scale Laica PS7002. Although I only managed to read the weight (despite the various functions), the work has been included in this guide because it shows aspects that have not been dealt within other sections.