My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE

Arun M Magesh
Jan 7, 2018 · 9 min read

Hello Security and Maker enthusiastic, After my first blog on how I reversed the Bluetooth smart massage. I have been busy with other pen-tests. Finally I am free and I am going to write about my recent reverse engineering experience a smart band. Smart band has been a important fashion statement for people which helps people in measuring their heart rate or tracking their steps or find calorie they have burnt and obviously to finally look at your hand for time and not the smartphone.

Image for post
Image for post

So the smart band which I have got is a Chinese manufacturer, but they are not dead cheap. I got this one for around 25$(2 weeks of waiting) which is almost close to 30$ Mi Band 2. I got the device from banggood, which is something I trust if I want to buy something which is not available in my country.

You can buy this smart band at here

So let’s talk about the features of the device before i talk about reverse engineering it.

I would like to get help from it’s marketing posters to understand the features of the smart device.

Image for post
Image for post

Ahh! They didn’t mention anything about the ability to see the time.

Now let’s look into the hardware specification which they have mentioned in their marketing posture.

Image for post
Image for post
Technical Specifications

Nordic uhh?? I guess it will be the classic NRF51xx or if i am lucky it will be NRF52xx and MC3413-P is a 3-Axis Accelerometer from mCubemems.

If you notice carefully at the Outdoor feature, it clearly says that the sensor like weather, altitude or UV sensor is being sent from the smart phone via Bluetooth and not from the on-board sensor. Nice idea. They have a HRM(Heart rate) which works on Photoplethysmogram(biomedical words)

It has a 130mah battery. It works solidly for a week. Power management is amazing which I really liked in this smart band compared to my pebble which works for 3-4 days.

Now let’s talk about the device functionality.

Yes. the first part is all about how the device actually pairs to the phone. The answer is YES. There is no pairing method, it just connects. So it means anyone with the app or a Bluetooth stick can sniff or read and write to the device.

Now let’s look at the app functionality.

  1. App lets you pair with the device(without any security).

2. App lets you send phone notification to the watch.

3. App can track the band and create a gentle vibration

4. App can synchronise the time and other weather information

5. App can retrieve weather information from the internet and send it to the watch

6. App can read heart rate and other medical parameter like SpO2 and mmHg.

These are the basic operations that the app can do. Few other features like setting timer to read heart rate and other. I would like to keep it simple and reverse these operation in the devices and control the device.

If you want to understand the basics of Bluetooth , using GATTool and using GATTacker i would suggest you view Github repo or my previous post

Now let’s use GATTool and read what are the type of service and characteristics is running in the watch.

We got the Bluetooth address

Image for post
Image for post
lescan output

After waiting I found out that the GATTool wasn’t able to connect to the device.

Image for post
Image for post
gattool output

After having a long conversation with the @slawekja . I came to realise that I need to use random addressing in the GATTool which changes the parameter of the BD address so the watch can understand that it is connecting to a phone and not a computer.

Image for post
Image for post

YaaaY!! It is now connected. Now let’s see all the characteristics and services that is being run in the devices.

Image for post
Image for post

Now we know there are lot of non Bluetooth SIG services that is being run in the device.

Now we need to identify how and when the data is being transmitted to the device and vice versa.

Now start the GATTacker in advertisement mode and analyse the data sets.

Image for post
Image for post

Now initialise the app and connect to the Watch.

Once i have connected the watch to the device I could see a large number of data is being transmitted and the watch synchronizes all the data whenever a device gets paired.

Image for post
Image for post

First step is to find which handle the data is being written. The app is sending a Write request to “c3e6fea1e96610008000be99c223df6a” which has a handle “0x0011” as shown in the GATTool and the device sends back confirmation by using a Notification handle which is “c3e6fea2e96610008000be99c223df6a”

Data Format:

Now let’s look at few chunk of data

Image for post
Image for post
Initial datasets

Now I started replaying these commands back to see how it affect. To my luck the data inside the device got synchronised with these data.but now the question is what are the data? and where are these data being present?

I started doing trial and error on these by manipulating individual byte and see the different.

Let’s group the data into 1 byte for better understanding of the packet.

Image for post
Image for post
First two data sets

Let’s take the second packet and analyse.

ba 20 → Looks same in all packets It should be a header.

00 → Looks like some sort of data separator or padding.

0c →This is the data length.

00 → IDC

1e → I am just guessing it is a CRC. Happy to get any feedback

00 →IDC

01 → It looks like a Packet counter.

02 → It could be the type of data that it is sending.

00 → IDC

07 → The data begins

* IDC → I dont care

Clock Data:

Since it is a smart band let’s first reverse the clock data .

To analyse the data. I started sending one data set at a time and started checked if that is changing the time.

Voila! The second dataset actually controls the time that is being displayed in the band.

Now i started manipulating individual bytes to understand the data format

“ba20-000c-001e-0001-0200-2000-07-11-0c-06-16-29-16 01”

ba20 →Header

000c →Data size

001e →CRC

0001 →Packet counter

0200 →Data Header

2000 →Data header

07 →IDC

11 →Year

0c →Month

06 →date

16 →Hour

29 →Minute

16 →Seconds

01 →IDC

The script i used to send random data to the time parameter can be found in the Github repo.

Camera and Find Data:

Now the Find band and Camera mode is obviously easy. Just capture and replay. It doesn’t have much functionality to play around.

“ba20-0006-00ec-006b-0400-46000101" → Camera

“ba20-0005-0040-0068-0500-500000” → Find

Weather Data:

Now let’s go forward and reverse the weather parameter.

By analysing the 6th dataset.


ba20 →Header

000b →Packet size

004c →CRC

0005 →Packet counter

0300 →Data header

3000 →Data header

06 →IDC

13 →High temperature

1c →Low Temperature

02 →Weather mode

15 →IDC

1d →IDC

02 →IDC

The script to randomise this parameter can be found in the Github repo.

Outdoor Data:

Now if you remember, we talked about few features that the device has which is being synchronized by the app and not a sensor in the band.


ba20 →Header

000a →Packet length

0008 →CRC

0000 →Packet counter

0e00 →Data header

e100 →Data header

05 →IDC

03 →UV level

F4 →Pressure second byte

03 →Pressure first byte

7a →Altitude second byte

00 →Altitude first byte

The script to randomise these parameter can be found in the Github repo.

Notification data:

Now comes my favourite part. We can send notification to the band like call or msg or other notification.

Now let’s understand the data.

Whenever my phone send a notification a huge chunk of data is being transmitted. Yes. Everything is in plain text.

Image for post
Image for post










ba20 →Header

008e →Packet length

00c0 →CRC

0000 →Packet counter

0600 →Data Header

6000 →Data Header

89 →When i modify it, i can increment the length of the data that is being printed.

01 →Type of notification

Fffe** —> Data starts and has 00 in between each byte.

Which performing a sort of fuzzing in the Type of notification i get to see lot of digits and symbols which is inside the flash memory. Maybe like bufferoverflow.

This makes me wonder, If someone can intercept any confidential information from the phone like OTP or password and other information.

Reading Heart Rate:

I think it is enough talking about how to write data to the data. Now let’s talk about reading data from the device like reading HRM or Blood oxygen and displaying it.

Sniff the communication when hrm is enabled and you see that the notifucation handle sends the hrm. Similar for other levels.

Image for post
Image for post

Lets analyse the data again.

Since it is just one parameter, i can just look at the data and identify the value


ba300006002400000a00ab0001 →IDC

4d →Heart rate

Now use this script found in the Github repo to subscribe to the handle and read the notifications and decode it.

Now you can try the same for Sp02 and mmHg and read it similarly.

Something weird i noticed when it comes to Firmware update. It uses a Nordic SoftDevice OTA to flash it. Write 0x42 in 0x0011 handle and the device goes into OTA mode and user can flash any firmware package. Literally and it is mentioned in one their seller’s site.

In this process, I felt like i should create a tool where people can fuzz individual bytes and monitor changes. It is very minimalist. You can check it out here.

I think I have done my part of the research in reverse engineering the smartband. I haven’t done much on the android app, just basic ones.

Few hardware internal pics to make you curious.

Image for post
Image for post
Inside the hood
Image for post
Image for post
SQI Test pads
Image for post
Image for post
UART pads
Image for post
Image for post
SWD pads
Image for post
Image for post
nrf51822 SoC
Image for post
Image for post
Some flash

I really like this smart band. I don’t want to open it. :( anyway I will do a another blog on it’s hardware components and how to assess the hardware security of this device.

Please feel free to contribute/collaborate and exploit it furthermore.

Happy Hacking…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store