ARTICLE AD BOX
I'm working on a project to emulate some BLE packets from a lamp that has Bluetooth functionality.
I'm capturing packets via Wireshark + nRF52840 dongle.
I've dissected most of the packet, and was starting to work on emulating the packet, however BlueZ and HCI seem to refuse to want anything to do with my crafted packet.
Here's a sample packet:
0000 03 3c 00 03 d2 20 02 0a 01 26 27 00 00 0f 6e a4 .<... ...&'...n. 0010 03 d6 be 89 8e 00 29 f0 03 04 12 b1 ff 02 01 06 ......)......... 0020 21 48 52 52 46 86 4c 13 d9 9f 65 0c d2 64 01 00 !HRRF.L...e..d.. 0030 01 61 03 d4 00 b4 00 01 64 00 00 00 00 00 00 05 .a......d....... 0040 6e 70 e9 np.Is this packet out of spec, or am I misinterpreting it?
The data payload starts at 0020 and goes for 32 bytes. My limited understanding of a BLE ADV_IND packet is that the payload can only be 31 bytes and this packet from the lamp doesn't have any of the standard company identifiers, or correct lengths.
I can't pick it up on other sniffers like Packet Logger on OSX. I also am having trouble with BlueZ and HCI accepting it as valid, so that leads me to believe it's not in spec.
As for emulating the packet, I'm using Linux -- I'm under the impression that hci sockets were "old" and so was first trying via python, then attempting using btmgmt add-adv -d <data> instead just to prove the packet could be sent.
Add Advertising failed with status 0x0d (Invalid Parameters) btmgmt[2160450]: @ MGMT Open: btmgmt (privileged) version 1.23 {0x0003} 11.087147 btmgmt[2160450]: @ MGMT Command: Add Advertising (0x003e) plen 44 {0x0003} [hci0] 11.087193 Instance: 1 Flags: 0x00000000 Duration: 0 Timeout: 0 Advertising data length: 33 Flags: 0x06 LE General Discoverable Mode BR/EDR Not Supported ff 46 79 40 06 cc 92 59 91 57 1e 01 01 00 f0 03 [email protected]...... e8 02 e4 00 01 64 00 01 01 00 04 00 00 00 .....d........ Scan response length: 0 @ MGMT Event: Command Status (0x0002) plen 3 {0x0003} [hci0] 11.087196 Add Advertising (0x003e) Status: Invalid Parameters (0x0d) btmgmt[2160450]: @ MGMT Close: btmgmt {0x0003} 11.087225I haven't been able to sniff the packet using another method, so I cant rule out that the nRF is not correct, though that seems unlikely.
