Echo Buttons teardown: no Bluetooth Low Energy?
As you may or may not know, I’m a big fan of of wireless buzzer buttons. I once built some myself and actually tried releasing them through Kickstarter, but failed. We were too focused on the hardware rather than showing our games. We learned some valuable lessons from that experience, but the project currently sits on my shelf.
Anyway, I was stumped as Amazon announced they were going to sell wireless buzzer buttons! If I could repurpose them, I could use the Amazon Buttons with my software. That would lower my costs significantly and I could get the project running again (building software only). I had to get my hands on some.
After ordering them via Amazon.co.uk and shipping them through Borderlinx to Belgium, I finally had the chance to ‘play’ with them. By ‘play’, I mean screwing them open and see what’s inside :-)
As you can see, the buttons don’t have a real “click” mechanism: just 3 soft touch points. Hitting the button doesn’t give as much satisfaction as I hoped.
Now how can I connect them to my own trivia software instead of the Amazon Echo? I thought they were going to show up on LightBlue, a BLE (Bluetooth Low Energy) scanner for iOS, but they didn’t. What, are these not Bluetooth buttons? Looking up their FCC ID revealed that they are indeed using Bluetooth but its not clear what version or protocol.
Sniffing the Echo Buttons
To figure out what nifty, do-not-connect-to-our-buttons-scheme they used, I bought the BLE sniffer from Adafruit. I first had to find my old Windows laptop as the software runs best on Windows. After scanning and sniffing some of my own BLE buttons, I decided to give the Echo Buttons a try.
Putting them in “pairing mode” shows … absolutely nothing. Okay, hitting “Pair Alexa Gadget” in the Alexa app also shows… nothing. Here’s an empty Wireshark 😛
That sucks. What’s going on? Also, why the hell does the user need to put the buttons into “pairing mode”? And why can one only connect up to 4 buttons at a time. This doesn’t smell like Bluetooth Low Energy at all! Actually, Bluetooth Low Energy is so cool you don’t need the user’s interaction to connect, and you can connect up to 255 devices (theoretically).
Plain old Bluetooth Classic
Ok, this might look like a stupid idea. If it’s true, it may come as a shock. Let’s use the regular Bluetooth scanner on my 2012 Macbook Pro (which doesn’t have BLE). I should have tried this before, but was expecting the buttons to be BLE (Bluetooth Low Energy). Here it goes:
Oh… my… This is worse than I thought.
So what’s wrong with not using Bluetooth Low Energy?
Ok, I might be overreacting, but still… Bluetooth Low Energy would have been a much better choice:
- First of all, “low energy” actually means it does not consume much energy. That means longer battery life.
- Second, BLE devices don’t need user interaction to pair. Your fitness tacker, for example, doesn’t need explicit pairing. Meaning you don’t need to go to your iOS settings and connect a new Bluetooth device. The app itself can find it.
- Bluetooth allows only up to 7 ‘slaves’, meaning only 7 buttons can be connected. Whereas BLE should allow up to 255 devices. iOS seems to have a limit of 20. Personally, I tested iOS to connect up to 12 BLE buttons at the same time.
- To develop Bluetooth Classic devices, one needs the extra certification, like the Apple MFI program and the official Bluetooth certification.
BLE after all
Update: after a comment from 德华, I had a closer look at the PCB. For those who also want to have closer look, I took some scans using an old OfficeJet-G85:
For those who want the uncompressed tif files, here you go.
As you can see, they are using a Cypress CYW20735 SoC. It is a “Dual-mode Bluetooth low energy (BT and BLE operation)” which means it does have BLE. Amazon just doesn’t use it. How to switch it into low energy mode is still unclear. Most likely, the chip will have to be flashed again.
Bluetooth Classic Protocol
Anyway, as the Echo Buttons are in Bluetooth Classic mode, it would be cool if I could learn about the protocol they use. Let’s connect and see what we can do using the tools at hand.
After pairing the Echo Button using the standard MacOS pair settings, the Echo Button shows up in the System information screen as follows:
I have no idea what a gadget, RFC SERVER or SPP SERVER is, but googling SPP SERVER brought me to RFCOMM, bringing me to something called a “Bluetooth serial port”. So RFCOMM just means the Bluetooth device acts a remote serial port.
Communicating with a button using Node.js
As Node.js is my go-to-framework for everything, I connected the Buttons using the node-bluetooth-serial-port module. Using a simple script, I could indeed connect to the button and read out their data!
As you can see, the second last byte changes as I press or release the button. Right now, I have no idea what the other bytes are or how to change the light on the button.
The next step will be sniffing these buttons using Ubertooth to figure out the protocol and finding a way to put them into BLE mode. I’ll update this post as I find more.
What can I say about this finding? I’m baffled by this choice Amazon made. Have they done this just it because it would be harder for a hacker like me to repurpose them?
What baffles me more, is that the product page clearly states it’s compatible with Bluetooth Low Energy (Bluetooth 4.2). Yes, it’s compatible, but they are not using it. They do imply that they are using Bluetooth Classic, saying it “works best within 4.5 meters of the connected device” while BLE works over 100 meters.
Using Bluetooth Classic makes the experience a lot more cumbersome. Having to manually pair first can take 30 seconds per button, which means 2 minutes of technical work before a group of 4 can play. And according to the reviews, there are a lot of pairing issues. So unless they start using the built-in BLE mode, these trivia buttons aren’t really going to catch on I guess… first impressions are everything.