我可以嗅探万用表和智能手机之间的 BLE 通信吗?
Can I sniff a BLE communication between my multimeter and my smartphone?
我目前正在尝试使用 Arduino 板操作万用表 (Zoyi ZT-5BQ),但我不知道使用我的万用表更改读数模式的协议(例如,从欧姆表到温度计) .
我尝试将我的 AT-09 模块与制造商的应用程序(蓝牙 DMM)配对,看看当我尝试从智能 phone 更改读取模式时它发送了什么,但 AT-09 未被检测到phone,我猜这是由于我的模块的 MAC 地址。
有什么方法可以嗅探我的 smarthphone 和万用表之间的通信吗?
提前致谢!
制造商的应用程序找不到 AT-09 最有可能是因为该应用程序搜索宣传该模块不提供的特定服务的设备。
通过安装通用 BLE 扫描仪应用程序(例如 nRF Connect)开始您的研究。连接到您的万用表并查看它发现的服务和特征。尝试阅读 and/or 编写 from/to 它们,有时这足以找出更简单的协议。
如果 nRF Connectc 在后台打开并且您使用制造商的应用程序连接到您的设备,nRF Connect 还提供调试 连接。这已经可以对发送和接收的消息提供一些见解。
最后的手段是使用真正的 BLE 嗅探器。有多种选择,我个人对 Nordic Semiconductor. You would need a bit of hardware and can use Wireshark with an extension to see everything. The cheapest option for the hardware would be the nRF52840-Dongle.
中的那个有很好的使用经验
最后,感谢 Michael Kotzjan,我找到了解决方案。
我从我的 phone 中搜索了嗅探和本地方法,然后我找到了“启用蓝牙 HCI 侦听解决方案”。这不是微不足道的,至少对于基于 MIUI 的 smartphone 来说不是,因为我必须在开发人员选项中启用该选项并找到一种方法来查看这些日志,在我的情况下,我必须重新启动我的 Redmi Note 8 Pro 和然后我去了“小米服务和反馈”应用程序,在那里我启用了phone的蓝牙日志,然后我开始在制造商的应用程序(蓝牙DMM)和我的万用表(Zoyi ZT-5BQ)之间进行通信,之后我必须找到存储日志的文件夹,在我的例子中是:debuglogger->connyslog->bthci->CsLog_2022...
我将文件夹下载到我的 PC,最后使用 Wireshark 我能够看到我从目标(Redmi Note...)发送到我的源(Shenzen__88...)的命令。
Commands shown in Wireshark
这样我就可以记下命令,并列出了这个列表:
List of commands
使用 NRF Connect 应用程序,我能够测试命令,通过 BLE 技术更新万用表的 0xFFF4 特性。
最后,我在Arduino中编写了这段代码,将我的ESP32连接到万用表并测试命令,我可以在0xFFF0服务下读写0xFFF4特性。
/**
A BLE client example that is rich in capabilities.
There is a lot new capabilities implemented.
author unknown
updated by chegewara
*/
#include "BLEDevice.h"
//#include "BLEScan.h"
//String serverUUID = "FC:58:FA:88:56:59";
// The remote service we wish to connect to.
static BLEUUID serviceUUID("fff0");
// The characteristic of the remote service we are interested in.
static BLEUUID charUUID("fff4");
static boolean doConnect = false;
static boolean connected = false;
static boolean doScan = false;
static BLERemoteCharacteristic* pRemoteCharacteristic;
static BLEAdvertisedDevice* myDevice;
//BLEAddress address(serverUUID.c_str());
static void notifyCallback(
BLERemoteCharacteristic* pBLERemoteCharacteristic,
uint8_t* pData,
size_t length,
bool isNotify) {
Serial.print("Notify callback for characteristic ");
Serial.print(pBLERemoteCharacteristic->getUUID().toString().c_str());
Serial.print(" of data length ");
Serial.println(length);
Serial.print("data: ");
Serial.println((char*)pData);
}
class MyClientCallback : public BLEClientCallbacks {
void onConnect(BLEClient* pclient) {
}
void onDisconnect(BLEClient* pclient) {
connected = false;
Serial.println("onDisconnect");
}
};
bool connectToServer() {
Serial.print("Forming a connection to ");
Serial.println(myDevice->getAddress().toString().c_str());
BLEClient* pClient = BLEDevice::createClient();
Serial.println(" - Created client");
pClient->setClientCallbacks(new MyClientCallback());
// Connect to the remove BLE Server.
pClient->connect(myDevice); // if you pass BLEAdvertisedDevice instead of address, it will be recognized type of peer device address (public or private)
Serial.println(" - Connected to server");
pClient->setMTU(517); //set client to request maximum MTU from server (default is 23 otherwise)
// Obtain a reference to the service we are after in the remote BLE server.
BLERemoteService* pRemoteService = pClient->getService(serviceUUID);
if (pRemoteService == nullptr) {
Serial.print("Failed to find our service UUID: ");
Serial.println(serviceUUID.toString().c_str());
pClient->disconnect();
return false;
}
Serial.println(" - Found our service");
// Obtain a reference to the characteristic in the service of the remote BLE server.
pRemoteCharacteristic = pRemoteService->getCharacteristic(charUUID);
if (pRemoteCharacteristic == nullptr) {
Serial.print("Failed to find our characteristic UUID: ");
Serial.println(charUUID.toString().c_str());
pClient->disconnect();
return false;
}
Serial.println(" - Found our characteristic");
// Read the value of the characteristic.
if (pRemoteCharacteristic->canRead()) {
std::string value = pRemoteCharacteristic->readValue();
Serial.print("The characteristic value was: ");
Serial.println(value.c_str());
}
if (pRemoteCharacteristic->canNotify())
pRemoteCharacteristic->registerForNotify(notifyCallback);
connected = true;
return true;
}
/**
Scan for BLE servers and find the first one that advertises the service we are looking for.
*/
class MyAdvertisedDeviceCallbacks: public BLEAdvertisedDeviceCallbacks {
/**
Called for each advertising BLE server.
*/
void onResult(BLEAdvertisedDevice advertisedDevice) {
Serial.print("BLE Advertised Device found: ");
Serial.println(advertisedDevice.toString().c_str());
// We have found a device, let us now see if it contains the service we are looking for.
if (advertisedDevice.haveServiceUUID() && advertisedDevice.isAdvertisingService(serviceUUID)) {
BLEDevice::getScan()->stop();
myDevice = new BLEAdvertisedDevice(advertisedDevice);
doConnect = true;
doScan = true;
} // Found our server
} // onResult
}; // MyAdvertisedDeviceCallbacks
void setup() {
Serial.begin(115200);
Serial.println("Starting Arduino BLE Client application...");
BLEDevice::init("");
// Retrieve a Scanner and set the callback we want to use to be informed when we
// have detected a new device. Specify that we want active scanning and start the
// scan to run for 5 seconds.
BLEScan* pBLEScan = BLEDevice::getScan();
pBLEScan->setAdvertisedDeviceCallbacks(new MyAdvertisedDeviceCallbacks());
pBLEScan->setInterval(1349);
pBLEScan->setWindow(449);
pBLEScan->setActiveScan(true);
pBLEScan->start(5, false);
} // End of setup.
// This is the Arduino main loop function.
void loop() {
// If the flag "doConnect" is true then we have scanned for and found the desired
// BLE Server with which we wish to connect. Now we connect to it. Once we are
// connected we set the connected flag to be true.
if (doConnect == true) {
if (connectToServer()) {
Serial.println("We are now connected to the BLE Server.");
} else {
Serial.println("We have failed to connect to the server; there is nothing more we will do.");
}
doConnect = false;
}
// If we are connected to a peer BLE Server, update the characteristic each time we are reached
// with the current time since boot.
if (connected) {
String newValue = "Time since boot: " + String(millis() / 1000);
Serial.println("Setting new characteristic value to \"" + newValue + "\"");
// Set the characteristic's value to be the array of bytes that is actually a string.
pRemoteCharacteristic->writeValue(newValue.c_str(), newValue.length());
byte Command[2][10] = {
{0xea, 0xec, 0x70, 0xe3, 0xa2, 0xc1, 0x32, 0x71, 0x64, 0x9b}, // Celsius
{0xea, 0xec, 0x70, 0xe2, 0xa2, 0xc1, 0x32, 0x71, 0x64, 0x98} // Fahr
};
Serial.println("Celsius");
pRemoteCharacteristic->writeValue(Command[0], sizeof(colors[0]));
delay(2000);
Serial.println("Fahr");
pRemoteCharacteristic->writeValue(Command[1], sizeof(colors[1]));
delay(2000);
} else if (doScan) {
BLEDevice::getScan()->start(0); // this is just example to start scan after disconnect, most likely there is better way to do it in arduino
}
delay(1000); // Delay a second between loops.
} // End of loop
我目前正在尝试使用 Arduino 板操作万用表 (Zoyi ZT-5BQ),但我不知道使用我的万用表更改读数模式的协议(例如,从欧姆表到温度计) . 我尝试将我的 AT-09 模块与制造商的应用程序(蓝牙 DMM)配对,看看当我尝试从智能 phone 更改读取模式时它发送了什么,但 AT-09 未被检测到phone,我猜这是由于我的模块的 MAC 地址。 有什么方法可以嗅探我的 smarthphone 和万用表之间的通信吗?
提前致谢!
制造商的应用程序找不到 AT-09 最有可能是因为该应用程序搜索宣传该模块不提供的特定服务的设备。
通过安装通用 BLE 扫描仪应用程序(例如 nRF Connect)开始您的研究。连接到您的万用表并查看它发现的服务和特征。尝试阅读 and/or 编写 from/to 它们,有时这足以找出更简单的协议。
如果 nRF Connectc 在后台打开并且您使用制造商的应用程序连接到您的设备,nRF Connect 还提供调试 连接。这已经可以对发送和接收的消息提供一些见解。
最后的手段是使用真正的 BLE 嗅探器。有多种选择,我个人对 Nordic Semiconductor. You would need a bit of hardware and can use Wireshark with an extension to see everything. The cheapest option for the hardware would be the nRF52840-Dongle.
中的那个有很好的使用经验最后,感谢 Michael Kotzjan,我找到了解决方案。 我从我的 phone 中搜索了嗅探和本地方法,然后我找到了“启用蓝牙 HCI 侦听解决方案”。这不是微不足道的,至少对于基于 MIUI 的 smartphone 来说不是,因为我必须在开发人员选项中启用该选项并找到一种方法来查看这些日志,在我的情况下,我必须重新启动我的 Redmi Note 8 Pro 和然后我去了“小米服务和反馈”应用程序,在那里我启用了phone的蓝牙日志,然后我开始在制造商的应用程序(蓝牙DMM)和我的万用表(Zoyi ZT-5BQ)之间进行通信,之后我必须找到存储日志的文件夹,在我的例子中是:debuglogger->connyslog->bthci->CsLog_2022...
我将文件夹下载到我的 PC,最后使用 Wireshark 我能够看到我从目标(Redmi Note...)发送到我的源(Shenzen__88...)的命令。 Commands shown in Wireshark
这样我就可以记下命令,并列出了这个列表: List of commands
使用 NRF Connect 应用程序,我能够测试命令,通过 BLE 技术更新万用表的 0xFFF4 特性。
最后,我在Arduino中编写了这段代码,将我的ESP32连接到万用表并测试命令,我可以在0xFFF0服务下读写0xFFF4特性。
/**
A BLE client example that is rich in capabilities.
There is a lot new capabilities implemented.
author unknown
updated by chegewara
*/
#include "BLEDevice.h"
//#include "BLEScan.h"
//String serverUUID = "FC:58:FA:88:56:59";
// The remote service we wish to connect to.
static BLEUUID serviceUUID("fff0");
// The characteristic of the remote service we are interested in.
static BLEUUID charUUID("fff4");
static boolean doConnect = false;
static boolean connected = false;
static boolean doScan = false;
static BLERemoteCharacteristic* pRemoteCharacteristic;
static BLEAdvertisedDevice* myDevice;
//BLEAddress address(serverUUID.c_str());
static void notifyCallback(
BLERemoteCharacteristic* pBLERemoteCharacteristic,
uint8_t* pData,
size_t length,
bool isNotify) {
Serial.print("Notify callback for characteristic ");
Serial.print(pBLERemoteCharacteristic->getUUID().toString().c_str());
Serial.print(" of data length ");
Serial.println(length);
Serial.print("data: ");
Serial.println((char*)pData);
}
class MyClientCallback : public BLEClientCallbacks {
void onConnect(BLEClient* pclient) {
}
void onDisconnect(BLEClient* pclient) {
connected = false;
Serial.println("onDisconnect");
}
};
bool connectToServer() {
Serial.print("Forming a connection to ");
Serial.println(myDevice->getAddress().toString().c_str());
BLEClient* pClient = BLEDevice::createClient();
Serial.println(" - Created client");
pClient->setClientCallbacks(new MyClientCallback());
// Connect to the remove BLE Server.
pClient->connect(myDevice); // if you pass BLEAdvertisedDevice instead of address, it will be recognized type of peer device address (public or private)
Serial.println(" - Connected to server");
pClient->setMTU(517); //set client to request maximum MTU from server (default is 23 otherwise)
// Obtain a reference to the service we are after in the remote BLE server.
BLERemoteService* pRemoteService = pClient->getService(serviceUUID);
if (pRemoteService == nullptr) {
Serial.print("Failed to find our service UUID: ");
Serial.println(serviceUUID.toString().c_str());
pClient->disconnect();
return false;
}
Serial.println(" - Found our service");
// Obtain a reference to the characteristic in the service of the remote BLE server.
pRemoteCharacteristic = pRemoteService->getCharacteristic(charUUID);
if (pRemoteCharacteristic == nullptr) {
Serial.print("Failed to find our characteristic UUID: ");
Serial.println(charUUID.toString().c_str());
pClient->disconnect();
return false;
}
Serial.println(" - Found our characteristic");
// Read the value of the characteristic.
if (pRemoteCharacteristic->canRead()) {
std::string value = pRemoteCharacteristic->readValue();
Serial.print("The characteristic value was: ");
Serial.println(value.c_str());
}
if (pRemoteCharacteristic->canNotify())
pRemoteCharacteristic->registerForNotify(notifyCallback);
connected = true;
return true;
}
/**
Scan for BLE servers and find the first one that advertises the service we are looking for.
*/
class MyAdvertisedDeviceCallbacks: public BLEAdvertisedDeviceCallbacks {
/**
Called for each advertising BLE server.
*/
void onResult(BLEAdvertisedDevice advertisedDevice) {
Serial.print("BLE Advertised Device found: ");
Serial.println(advertisedDevice.toString().c_str());
// We have found a device, let us now see if it contains the service we are looking for.
if (advertisedDevice.haveServiceUUID() && advertisedDevice.isAdvertisingService(serviceUUID)) {
BLEDevice::getScan()->stop();
myDevice = new BLEAdvertisedDevice(advertisedDevice);
doConnect = true;
doScan = true;
} // Found our server
} // onResult
}; // MyAdvertisedDeviceCallbacks
void setup() {
Serial.begin(115200);
Serial.println("Starting Arduino BLE Client application...");
BLEDevice::init("");
// Retrieve a Scanner and set the callback we want to use to be informed when we
// have detected a new device. Specify that we want active scanning and start the
// scan to run for 5 seconds.
BLEScan* pBLEScan = BLEDevice::getScan();
pBLEScan->setAdvertisedDeviceCallbacks(new MyAdvertisedDeviceCallbacks());
pBLEScan->setInterval(1349);
pBLEScan->setWindow(449);
pBLEScan->setActiveScan(true);
pBLEScan->start(5, false);
} // End of setup.
// This is the Arduino main loop function.
void loop() {
// If the flag "doConnect" is true then we have scanned for and found the desired
// BLE Server with which we wish to connect. Now we connect to it. Once we are
// connected we set the connected flag to be true.
if (doConnect == true) {
if (connectToServer()) {
Serial.println("We are now connected to the BLE Server.");
} else {
Serial.println("We have failed to connect to the server; there is nothing more we will do.");
}
doConnect = false;
}
// If we are connected to a peer BLE Server, update the characteristic each time we are reached
// with the current time since boot.
if (connected) {
String newValue = "Time since boot: " + String(millis() / 1000);
Serial.println("Setting new characteristic value to \"" + newValue + "\"");
// Set the characteristic's value to be the array of bytes that is actually a string.
pRemoteCharacteristic->writeValue(newValue.c_str(), newValue.length());
byte Command[2][10] = {
{0xea, 0xec, 0x70, 0xe3, 0xa2, 0xc1, 0x32, 0x71, 0x64, 0x9b}, // Celsius
{0xea, 0xec, 0x70, 0xe2, 0xa2, 0xc1, 0x32, 0x71, 0x64, 0x98} // Fahr
};
Serial.println("Celsius");
pRemoteCharacteristic->writeValue(Command[0], sizeof(colors[0]));
delay(2000);
Serial.println("Fahr");
pRemoteCharacteristic->writeValue(Command[1], sizeof(colors[1]));
delay(2000);
} else if (doScan) {
BLEDevice::getScan()->start(0); // this is just example to start scan after disconnect, most likely there is better way to do it in arduino
}
delay(1000); // Delay a second between loops.
} // End of loop