Reverse Engineering through Bluetooth Sniffing

Taking a look under the hood

In order to kick off our research, we first needed to understand the inner workings of the Jacquard and, specifically, how it communicates with the user’s mobile device. While looking under the hood, we uncovered the base level bluetooth packets sent between devices to make the Jacquard Jacket actuate. Today, we will be demonstrating not only our findings from our bluetooth sniffing trials, but also some of the specific methods and software we used in the process.

What is BLE?

Bluetooth Low Energy (or BLE) is a protocol developed by Bluetooth Sig. BLE is an ideal communication protocol for power efficient wearable devices due to its optimization of the transmission of packets, or small blocks of data. Additionally, BLE supports broadcaster mode which makes possible for wearable device to communicate with a smartphone without ever having to connect and pair. This ease of use and universality of Bluetooth Low Energy makes it a very popular choice among many of today’s small portable bluetooth devices.

Classic Bluetooth vs. Bluetooth Low Energy (BLE)

The Bluetooth Stack

The bluetooth stack is divided into two categories, the controller and the host. Within the bluetooth stack, there is a little something called a service. According to the BLE Core Specifications, a service is a collection of data and associated behaviors used to accomplish a certain function or feature.

Structure of a Profile with Services and Characteristics

Each service contains a list of mandatory and/or optional characteristics. A characteristic is an attribute type that contains one single, logical value. Both service and characteristics are assigned a UUID (Universally Unique ID). UUID’s can be used to identify devices as well as get a list of services provided by that device. In this case, the Jacquard Tag used 128-bit UUID’s.

Plan of Action

To get a superficial understandings of how the Jacquard Tag worked, we first downloaded the official Google mobile application (available on the App Store and Google Play Store). First, we noticed that the Jacquard Tag and it’s mobile application did communicate via BLE. Additionally, we discovered the four pre-defined gestures supported in the official application:

1. Brush-in
2. Brush-out
3. Double-tap
4. Cover

Our next step in the process was to set up both a static and a dynamic bluetooth log using Wireshark and nRF Connect, respectively. We used Wireshark to analyze the specific packets being sent back-and-forth between the Jacquard and the mobile device. This static bluetooth log allowed us to see the specific services and characteristics (and their respective UUID’s) associated with each packet, which we could henceforth test in our dynamic bluetooth log, nRF Connect.

A Wireshark screenshot highlighting a bluetooth packet corresponding to the Jacquard’s thread readings

nRF Connect, a powerful mobile application developed by Nordic, allowed us to connect with and debug our BLE device in real time. In other words, this application displays and updates in real time for all values of all characteristics. Once we were able to discover which characteristic corresponded with gesture recognition, for instance, we could then test out what values were sent between the Jacquard and the paired mobile device, as seen below.

Double Tap

Brush In

Brush Out

Cover

Findings

Gesture values

As you can see above, we found that upon performing a gesture, the hex value corresponding to that specific gesture was logged on the mobile device. After exploring for more possible gestures that corresponded with unseen values, we discovered a gesture unexposed to users which we dubbed “Scratch”!

Services and characteristics that were uncovered

Additionally, we were able to uncover several other services/ characteristics that corresponded with functionalities like glowing the Jacquard’s tag’s LED indicator and getting real-time capacitance readings of each of the 15 threads.

What’s Next?

Simply put, our work with bluetooth sniffing won’t stop anytime soon. We will continually visit this topic to hopefully keep uncovering new and hidden functionalities of the Jacquard Tag. As more information arises here, those results will influence the software engineering of our published APIs such that developers can take advantage of the latest and greatest features of Jacquard.

Georgia Tech’s E-Textile Hacking Team is always looking to collaborate with engineers and researchers across industry and academia. If you are enthusiastic about new forms of human computer interactions like this one or interested in our work on the Jacquard E-textile, please reach out!