Sunday, December 4, 2011

Introduction to Bluetooth RFCOMM Reverse Engineering

by Travis Goodspeed <travis at>
with thanks to Alexei Karpenko

Spot Connect (cropped)

Reverse engineering a Bluetooth device is rather straightforward, but quite a few good neighbors don't know where to begin. This article demonstrates exactly how an Android client was reverse engineered in order to produce open source clients in Python and QT Mobility. I'm writing with the assumption that you are trying to reverse engineering your own device, which is similar but not identical to mine. As this is an introductory guide, I'll stay clear of any code reverse engineering, sticking only to network traffic.

The subject of this article is the Spot Connect, which transmits one-way text messages and GPS coordinates by L-band to the GlobalStar satellite constellation. These messages are then forwarded by email or SMS. Except in its emergency mode, the device is operated through Bluetooth by a smart phone. Thanks to Android's use of the Bluez bluetooth stack, it is rather easy to get the necessary traffic dumps.

Kind thanks are due to Alexei Karpenko (Natrium42) for his article on SPOT Reverse Engineering, which covers the original SPOT unit in excellent and thorough detail. It was his article that got me looking at the Spot Connect, and his description of the GPS format saved me quite a bit of travel for sample collection.

GlobalStar Beacon

Sniffing RFCOMM

The first step is to load the official client onto a rooted Android phone, in my case a Nexus S. I had to swap SIM cards as my Brazilian one put me in a region of the Android market that didn't have the application. Switching to a Swiss card fixed this, and a moment later the app was installing.

SPOT Connect

The Spot Connect uses RFCOMM, which is Bluetooth's alternative to a TCP socket or a UART. As it is easy to prototype and always delivers packets in order, RFCOMM has become the standard way of implementing custom protocols. To sniff the traffic before knowing the mode, we'll use hcidump running in a debugging shell of the phone. For this, run adb shell hcidump -X | tee spotlog.txt on your workstation, send a transmission, and watch the result in the log.

The message being sent stands out as ASCII, of course, so it's the first thing to look for. With no knowledge of the HCI protocol, you can still be sure that you have a cleartext recording.

HCIDump Screenshot

35 00 40 00 0b ef 63 aa 31 26 01 00 01 00 01 4d  5.@...c.1&.....M
72 2e 20 57 61 74 73 6f 6e 2c 20 63 6f 6d 65 20 r. Watson, come
68 65 72 65 2e 20 49 20 77 61 6e 74 20 74 6f 20 here. I want to
73 65 65 20 79 6f 75 2e 9a see you..

From Alexei's article, you can expect that frames inside of RFCOMM will begin with 0xAA, followed by a length, followed by a verb and the objects. These bytes will be wrapped in padding on the outbound end, and they'll be fragmented on the inbound end. Sure enough, these are the bytes that come before the word ``Watson'':
aa Preamble
31 Length
26 Verb
01 00 01 00 01 Flags (OK, Check In)
4d 72 2e 20 57 ASCII Message (abbreviated)

Counting 0x31 bytes out, notice that the packet ends exactly on a byte of the ASCII message, without a checksum! By looking for bytes of AA and searching for length, with allowances for packet fragmentation and the RFCOMM wrapper, it becomes possible to decode every command and its matching response.

Be aware that responses will be fragmented more than transmissions. If you need to reverse engineer longer transactions or have a more complete log, it will be handy to have a script to reassembly from the HCI frames. In those cases, toss together a proper HCI decoder to get a more accurate interpretation of the records.

Looking through the entire log, it the protocol appears to be as follows. First, the client queries the Device ID with verb 0x01, using the exact same format as Alexei's article. Then it uses verb 0x25 to query the last known position of the device, which will be returned in the style that Alexei reverse engineered from the original unit. Use pen and paper to decode these transactions from my Python client.
Location Query

First Implementation

With these recordings in hand, the complete language can now be described and implemented. Luckily, three verbs make for a quick implementation!

I use py-bluez for prototyping such implementations, as its example is simple enough to get a working client in minutes. As py-bluez is specific to Linux, Mac users might prefer lightblue.

For simplicity, cut the UUID code or switch it to RFCOMM's UUID, which is 00001101-0000-1000-8000-00805F9B34FB. For a list of all services on a device, run 'sdptool records $adr'. This only lists those which are publicly announced by SDP, the Service Discovery Protocol. To scan for unadvertised services, try BT Audit from Collin Mulliner.

0x01 -- Get ID
A minimal test client will just test the serial number of the device. To do this, simply send "\xAA\x03\x01" and then catch the reply with verb 0x01. Bytes 3, 4, 5, and 6 of the reply will contain the serial number in Big Endian notation. For this first implementation, commands and their responses may be handled synchronously for simplicity.

Where self.tx() takes a frame as its input and returns the response, this is implemented in Python as the following. What could be simpler?

0x25 -- Get Last Position
Similar in calling convention, the 0x25 verb requests the last known GPS position of the device. The coordinate format is exactly the same as in Alexei Karpenko's Spot Hacking article, consisting of three bytes apiece to describe latitude and longitude. The following is my C++ code for parsing the position data, which has already been requested as "\xAA\x03\x25".


0x26 -- Transmit Text
Transmitting text is just as easy, with the Spot Connect handling all the work after a message has been loaded. The following is Python code to transmit a short text message with the OK message-code. This lacks length checks and doesn't support the changing of flags, but it will work perfectly well for a test.


After the device receives this command, it will reply with an acknowledgment and then begin to attempt transmissions at irregular intervals. Each transmission consists of a number of fragments, such that the packet can be reassembled so long as one copy of each fragment makes it through. If you have a clear view of the sky and have configured the first destination to be your email address, you should receive a notification within a few minutes. If you don't receive a notification by the time the mailbox icon has ceased blinking, then the transmission failed.

Other Verbs
These three verbse--0x01, 0x25, and x026--are sufficient to implement a minimal client for the Spot Connect. If you'd care to help out, it would be useful to have more documentation for the flags of the 0x26 verb, as well as documentation for 0x52, 0x40, and 0x38. By scanning and listening for error codes, it should be possible to get a complete list of those verbs that are unused by the Android application.

You can find my Python client at . It ought to run as-is on Linux with py-bluez, including the Nokia N900.

A Graphical Client

Now that the protocol has been sufficiently well documented to have a Python implementation, it is worthwhile to rewrite it as a GUI. In my case, I wanted a QT Mobility client for my Nokia N9. You can find my work in progress at

Pacific Ocean

Other Methods

If hcidump isn't available for your platform, you might try Sniffing with a USRP or reflashing a dongle to become a commercial sniffer. For a jailbroken iPhone, see the iPhone Wiki's documentation.

Another option would be to create a Bluetooth proxy, relying on the slim authentication performed in the protocol. In this case, the proxy would open all relevant port to the device being reverse engineered, ferrying commands back and forth as a way to record them. You might also need to experiment with changing the device class and, in the case of iOS devices, there is also a lockout sequence that must be implemented.

If none of that works for your device, you could sniff the UART lines that come from the bluetooth module, shown here on the left board. This particular module happens to be a BT23, and Page 8 of BT23_Datasheet.pdf shows that pins 14 and 13 should be tapped to get a communications log.
SPOT Connect

As a last resort, you could always ask for documentation. I didn't bother with this because of my own impatience, but for some devices, such as the Metawatch, documentation is freely available. More than once, a neighborly vendor has been so kind as to give me the source code or documentation just to be neighborly.

Future Work

This article will be followed with one on the physical layer protocol of the SPOT, which I've been able to sniff thanks to some kind help from Michael Ossmann. For a preview of that technique, you are welcome to stalk my SPOT Connect Set on Flickr. The most neighborly of these shows individual bits from a FunCube Dongle recording of the transmission. It's cleartext, of course.
Bits from SPOT Connect

Replacement firmware is also a possibility. The Spot Connect uses an MSP430F5xx microcontroller with the standard USB bootloader, using a Java client on Windows and an Objective C client on OS X. The firmware itself is downloaded by HTTPS, and a copy could be acquired either by a MITM attack on HTTPS or by asking the bootloader politely, using the password that is to be found within the firmware update. Be careful when doing this to test on a unit without a service contract, as service cannot be moved from one unit to another and bricking is a distinct possibility.


I hope that this article has given you a decent overview of the methods for reverse engineering Bluetooth RFCOMM devices. While my subject was the Spot Connect, these methods would apply equally well to something like a GPS, the Metawatch, Bluetooth chat applications, and multiplayer games. Other brands of Bluetooth satellite communicators are available, and open documentation for them would be quite handy. For a list of a few thousand potential targets, search the Bluetooth SIG's Gadget Guide.


sp00nix said...

That GPS plot on the map is only a few miles from me!

Nice wright up as well!

Doctor Who said...

Remarkable idea. Also worth trying out, for my own work. However your reference regarding reflashing a dongle, which is next to the one on sniffing using a USRP device is now broken. It seems the location is no longer active.

Cougar said...

Looks like original is removed from the internet. Use Google and you can find some mirrors still providing this paper

loid said...

I've started reading your block and have a special request. Is it possible to get the goodfet software running on a MSP430 dip chip, like the new ones TI have coming out? This would be very neighborly to those of us who are just getting started, cant solder and who suffer from shaky hands. There are readily available breakout boards for FTDI but I have not seen any for the chips that your goodfet uses.

Thank you kindly....

PS. Not very many people have the talent, skills or patience of Mr. Ossmann. Dips are around for a reason....

Travis Goodspeed said...

Howdy Loid,

TI doesn't seem to offer an MSP430 in DIP packaging with enough room for the full GoodFET firmware, but there is an AVR port in the works that runs on a DIP. We should have boards available in three or four months.


loid said...


omni5cience said...
This comment has been removed by the author.
omni5cience said...

Just stumbled on to this post, the reference to reflashing a dongle has moved to

James Williamz said...


I think this article demonstrates exactly how an Android client was reverse engineered in order to produce open source clients in Python and QT Mobility. But I think some time there are some error occurring in this and so that is why bluetooth software services is solving this error.

James Jarvis said...

Should the latitude decoding algorithm check to see if latitude is > 90 before setting it negative? Your code listing shows that as a > 45 test.



James Jarvis said...

Should the latitude decoding algorithm check to see if latitude is > 90 before setting it negative? Your code listing shows that as a > 45 test.



Asim Shaikh said...

We are the one who have development team behind Pakistan's largest media websites and who made wesbites which are busiest and most famous in Pakistan and very high ranking in Alexa and SEO point of view.
Reserver Your Website Now...

Nexus said...

I method and the conclusion section for Bluetooth module completes the process understanding thanks mate

ulrichard said...

Great post! I have yet to try it. But first I have to activate my device, which is not possible as long as I can't update the firmware.
Did you figure out how to update the firmware on linux? When I try to run the jar from the Windows updater, I get an exception Method)
Well, it comes with some native dll's. Bummer!

justin adam said...

Linux Satellite offers widest choice of Satellite TV Receivers to UK & Europe viewers in affordable prices with high quality customer satisfaction feel free to contact
mar andriod satelite reciever

Blogger said...

You might be eligible for a complimentary Apple iPhone 7.

Blogger said...

If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you must watch this video
right away...

(VIDEO) Text Your Ex Back?

Blogger said...

Quantum Binary Signals

Get professional trading signals sent to your cell phone daily.

Start following our signals NOW and gain up to 270% per day.

Blogger said...

Looking to join additional affiliate programs?
Visit this affiliate directory to see the ultimate list of affiliate programs.

Jonna Richard said...

Welcome to the Best writer Review, Here you can get the best All Assignment Help reviews sites. We strongly urge you to check our entire website once and we will assure you will find this review website very useful. Our hard work will be rewarded if students like you will appreciate our effort and spread the message about this site with your class-fellows and friends.

TECH SUPPORT d said...

Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts <

john maker said...

While reading your post, I came to know about the (Topic). Actually, this information will be useful to all to know the history. Surely I will share these details with my friends who are studying history. Keep updating more news like this.

McAfee-Help-Activate said...

Are you seeking any kind of support for McAfee Installation? You are at the right place as we are an independent technical support service provider. Antivirus is a must to have software in any of the system that actually access internet. Even if not accessing any system connecting various devices with the PC, laptop or tablet is common for transfer of files or sharing of important documents. When you first got the McAfee antivirus software for your system and try installing it you got it successfully done. But when you were proceeding further for getting the installed pack of programs being activated successfully you actually come across trouble. Now what to do? How to deal with the problem caused during the McAfee Activate

john maker said...

Additionally, McAfee gives you virus removal service as that will help its users to easily and smoothly delete unwanted virus and spyware from your regular system, laptop and tablet. McAfee Activate Enjoy the smooth running working of the personal computer when you are playing game, doing something important office task or sharing files.

Jim Jordan said...

webroot Activate -After you redeem the card, you can download and install your webroot software and activate your subscription.Call webroot Toll free number +1-865-535-9089 and know how to webroot geek squad renewaland complete installation & activation from webroot geek squad renewal online.For More information visit our website -

hujdjksfjjhbb said...

Thanks for sharing nice stuff. I am a McAfee user and struggling with McAfee activation.after searching on google i found this blog and website total protection.1-866-535-9089 After these guideline and talk with mcafee expert i resolved issues very easily.know for more :-

hujdjksfjjhbb said...

Thanks for sharing nice stuff. I am a McAfee user and struggling with McAfee activation.after searching on google i found this blog and website total protection.1-866-535-9089 After these guideline and talk with mcafee expert i resolved issues very easily.know for more :-

john maker said... is a leading tech support website where you can activate and install McAfee antivirus software in your system at any time.McAfee Also, give us a call at toll-free 1-866-535-9089 for perfect support and guidance of dedicated technicians. For more information visit here :-

Abdul kader said...

I appreciated perusing your blog. I have perused your blog great data on this blog. I cherished understanding it and I figure individuals will get a great deal of completely bolstered from this ( blog. Sam, I have composed this sort of blog. I have you like this blog, on account of perusing for this blog.

gunmetal jeans said...

I found you are blog via Yahoo and I’ve to say. A Gigantic Thanks very much, I considered your article was very interesting I’ll get back to see what more great information I can get here.

MEP F modelling
MEP F modelling in USA

lauraine williams said...

webroot install SecureAnywhere AntiVirus's new approach delivers faster, more effective virus protection that's always up to date. Also identifies and protects against new threats as soon as they emerge - without ever having to download security updates. Scans PCs with blazing fast speed and won't let enter any threat to enter in your pc. | webroot safe | | webroot geek squad | webroot geek squad download

The Travelius said...

I really enjoyed your blog Thanks for sharing such an informative post.
Best travel Honeymoon packages
Hong Kong Honeymoon Package
Mauritius Honeymoon Packages.
Singapore Honeymoon Package.
Malaysia Honeymoon Package.
Maldives Honeymoon Package .
Bali honeymoon package

Mp3race said...

Download Latest Music

James Franklin said...

The reverse is also known as the back engineering. Reverse engineering is the process of reconstructing other manufacturer products by following its design and manufacturing process. Onsite3D provides the best reverse engineering service in Texas. Best reverse engineering Houston, Texas said...

Wonderful blog! I found it while browsing on Yahoo News


Ishi bansal said...

Want to give your business a kick-start? Wonder mouse technologies, India’s fastest growing website designing company in india platform brings you unparalleled web development company in india, mobile app development, android app development services, that too in an affordable price quote. A group of young enthusiasts are here to cater for your success by providing all round business development help. Hundreds for well-tested strategies are implemented after measuring the current market for significant future growth.

Prachi Kalra said...

Keep writing such blogs. Keep up the great work!Web Development Company in India

Akash said...

I really enjoyed your blog Thanks for sharing such an informative post.

CAGT said...

thanks for the information..

We have been passionate about crafting iconic Eurasian circuits specially Caucasus (Armenia, Azerbaijan & Georgia), Central Asia (Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan and Uzbekistan) and Eastern Europe (Russia, Serbia, and Ukraine) for more than 8 years.

Adventure Tour Packages | Ukraine Tour Package | Trekking Tour Packages | Eastern Europe Tours| Silk Route Tour Packages| Russia Tour Package | Almaty Tour Package | Tashkent Group Packages

thetravelius said...

I really enjoyed your blog Thanks for sharing such an informative post.

mikerock said...

thanks for sharing it Car Racing Games for Android

smith warner said... to Secure your All Windows, Mac & Android devices. Get norton setup and Run to Install Norton Anti Virus. for more information about norton antivirus, just visit - Get the comprehensive internet security on your device with mcafee activate Antivirus. Get your McAfee installed and activated with easy steps. for more information just visit - To get started with Microsoft Office download & install office setup. Find the product key for activation at

unknow said...

I really enjoyed your blog Thanks for sharing such an informative post.
Best Website Development service In Noida

Web Designer in Noida
Best Website Development service In Noida
Website Designing service In Noida
Best digital marketing service In Noida
Best digital marketing Company in Noida
Best SEO service In Noida
Best SEO Company in Noida
Software development Company in Noida
Web hosting Company in Noida
Best bulk emails Company in Noida
Best content writing Company in Noida
Best bulk sms Company in Noida
Bulk sms Company in Noida
Bulk sms service In Noida

Chris George said...

This blog is so informative. After reading this blog, I have actually come to know why students come up with queries such as “do my assignment for me” and more. It is all because they not only have shortage of time in their lives, but also because they lack some or other writing skills that are needed in solving such assignments.

So, whenever I decide to pay someone to do assignment, I always rely upon My Assignment Services. This is because when you pay to do assignment, this firm always lives up to your expectations. They not only offer an extensive range of academic consultation services, but also offer you with a wide range of value-added services such as the live one-on-one session with the experts, free copy of the Turnitin report, free editing and proofreading services and many more.

So, I always take my “do my assignment for me” queries to this firm.

jacklinemelda said...

The first step in cheap essay writing service USA is the choice of topic. The topic that is chosen by the writer determines the quality of the paper. Contact our Custom Research Paper Services company today!

webtrehub said...

Best Digital Marketing Company in Noida
Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! keep doing awesome!

SkyNaijaMusic said...

Excellent blog & I love your
latest foreign Music you have a good work here... It's hard to find good quality writing like yours nowadays..
Naija Entertainment
Excellent blog & I love your
latest naija Music

charles said...

i really fell in love with this blog, i represent Bloggers Nigeria

Unknown said...

How Much Does It Cost To Set Up A Blog In Nigeria

How to grow your blog

How Much Can I
Use To Set Up A Blog In Nigeria

How much does it cost to create a website in

make more money from blogging

What a wonderful blog , keep publishing article bro , is really helpful

Antiviruscustomerservice said...

If you are facing issues like McAfee Drive Encryption Fatal Error 0xee020006 is resolved easily you can contact us to solve you issues and concerns with our best techincian.

Call us: +1-888-845-6052

McAfee Drive Encryption Fatal Error 0xee020006 is resolved easily

customerservice said...

We are here to help you in hp printer showing offline you can contact us to solve you issues and concerns with our best techincian.

Call us: +1-888-845-6052

hp printer showing offline

Unknown said...

Best Nigerian investment company that pays monthly

TECNO Pouvoir 3 Plus with 6000mAh Battery and AMOLED Display

How to Get Airtel 4.6GB Data For N200  

How To Make Money Online in Nigeria in 2020

What a useful article , nice one keep it up

Unknown said...

What a wonderful and interesting article , Keep it up


Zinoly Review

how to make money on Zinoly

how to register on Zinoly  

is Zinoly legit or scam

Payment proof On Zinoly

How Does Zinoly Pay

Zinoly withdrawal Policy

Is Zinoly Still Paying

Does Zinoly Pay Without Referral

Zinoly Income Program

How To Register On Zinoly

Is Zinoly Still Paying Without Referrals 

How To Make Money On Zinoly In 2020

Nice post , I really enjoy the article , keep it up

SkyNaijaMusic said...

naija entertainment

Download latest naija music

Phone Reviews


I love this content..

Sensigo Technologies said...

Software Development Company We specialize in Blockchain development, Artificial Intelligence, DevOps, Mobile App development, Web App development and all your customised online solutions. Get best impression at online by our services, we are familiar for cost effectiveness, quality, delivery and support.
Blockchain Development Company Are you looking for a blockchain developer to meet your organization? Then it makes good sense to hire our expertized blockchain developer. Blockchain has become the most decentralized topic in different organizations.This technology creates a new doorway for payment which is exceedingly secure. It is a magnificent form of Database storage system useful to record information or data. This information can be automatically stored with the help of the cryptography mechanism furnishing more secure data. We will help you to develop and attach to a private blockchain where features that will be track and verify transaction and communication between different departments and stakeholders. The blockchain technology that supports Digital currencies and cryptocurrencies.

Efficientforce said...

Housekeeping Services Company In Chennai | Security Guard Services In Chennai | Gardening Services In Chennai | Facility Management Services Company In Chennai | Best Housekeeping Agency in Chennai

Petertech said...

This Is To Inform You About This Blog "Africans Music Website"That They Have Many Feature Such As Latest Naigeria Music/Video So If You're Interested In Any Of This Please Do Check The Site Out Click here

Unknown said...

What a nice and interesting post keep it up

How To Post On Nairaland Forum

Tecno Spark 4 reviews, full specifications and price in Nigeria

How To Make Money Online In Nigeria Reading News

LegitNaira Review

Nnu Version 2 

Chipper Cash Review

How Chipper Cash Works

Nnuforum Review


Nnu Forum

Nnu vr 2

Minimum Withdrawal On Nnuforum

Nnuforum Income Program Review

How to Make 40k plus on  Nnuforum

Nnuforum income program 

How To Make Cool Money On Nnuforum

Nice article , keep it up

Unknown said...

Naija Music & Videos Downloading

Beecoded said...

Wow, nice blog , I love this blog seriously, and you can follow us @ Fulloaded

And also Download Latest Naija Music

Even you can visit our Naija Freebeat