I recently acquired a device that I use, to cool my iPad when I play call of duty mobile, above all, it has called me. I have been very interested in this device because it has a variety of modifications, especially in terms of temperature, fan speed and led lights control, all through BLE, previously I had done some BLE research, especially in a smartwatch purchased on aliexpress where I detail the steps I used for the discovery of UUID, characteristics and payloads load, this time we will do a different process using common use tools such as hcitool, gatttool.
Recognition
For this exercise I will be using an ubertooth and a raspberry pi.
We will start by using hcitool
to scan nearby BLE devices.
sudo hcitool lescan
You can see the target device Black Shark MagCooler 3Pro
and the corresponding mac address 04:33:85:99:4C:D0
important information when connecting to the device.
04:33:85:99:4C:D0 Black Shark MagCooler 3Pro
One of the important steps is to enumerate the features that the device has active to communicate, so we will use the blemon module in iOS to trace the BLE frames.
frida -U -l frida/blemon.js -f com.blackshark.peripheral.community
Once the traffic has been intercepted, we begin to review the payload sent to turn the LEDs on and off.
[BLE Write =>] UUID: A001 data: 0x0506000000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Write =>] UUID: A001 data: 0x0501080001
We see that the UUID for turning the led on and off is A001 and the paylaods are the same as always, so there is no encryption involved.
Using gatttool we can list these features, let’s see.
gatttool -b 04:33:85:99:4c:d0 -I
┌──(kali㉿kali-raspberry-pi)-[~/Desktop/Magcooler]
└─$ gatttool -b 04:33:85:99:4c:d0 -I
[04:33:85:99:4c:d0][LE]> connect
Attempting to connect to 04:33:85:99:4c:d0
Connection successful
[04:33:85:99:4c:d0][LE]> characteristics
handle: 0x0002, char properties: 0x12, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb
handle: 0x0006, char properties: 0x02, char value handle: 0x0007, uuid: 00002a04-0000-1000-8000-00805f9b34fb
handle: 0x0009, char properties: 0x20, char value handle: 0x000a, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x000d, char properties: 0x02, char value handle: 0x000e, uuid: 00002a50-0000-1000-8000-00805f9b34fb
handle: 0x0010, char properties: 0x06, char value handle: 0x0011, uuid: 00010203-0405-0607-0809-0a0b0c0d2b12
handle: 0x0014, char properties: 0x04, char value handle: 0x0015, uuid: 0000a001-0000-1000-8000-00805f9b34fb
handle: 0x0016, char properties: 0x10, char value handle: 0x0017, uuid: 0000a002-0000-1000-8000-00805f9b34fb
[04:33:85:99:4c:d0][LE]>
Let’s start with basic functions.
Switching LEDs on and off.
To manipulate the switching on and off of the LEDs we can use the following collected data.
handle: 0x0014, char properties: 0x04, char value handle: 0x0015, uuid: 0000a001-0000-1000-8000-00805f9b34fb
With this information, using gatttool we can send the commands to turn the LED on and off.
gatttool -b 04:33:85:99:4c:d0 --char-write-req -a 0x0015 -n 0501080000
After analyzing the functions, we have the following table that describes each of the functions that the device has.
COMMANDS | VALUE HEX |
Overclocking Mode | 0502000032 |
Mute Mode | 050200005b |
Intelligence Mode | 05020000fa |
Led ON | 0501080001 |
Led OFF | 0501080000 |
Stop ELICES | 0502000000 |
We were also able to analyze the transmission mode of the LEDs that are defined in this table.
LEDS MODE | VALUE HEX |
streamer | 2f0120000200ffff100e00000000000000000000000000000000000000000000000000000000000000000000000000 |
Breathe | 2f0120000300ffff636301ff0000000000000000000000000000000000000000000000000000000000000000000000 |
starlight | 2f0120000400ffff2c0101ff0000000000000000000000000000000000000000000000000000000000000000000000 |
flying ring | 2f0120000500ffffd00701ff0000000000000000000000000000000000000000000000000000000000000000000000 |
chase | 2f0120000700ffff580202ff000000ff00000000000000000000000000000000000000000000000000000000000000 |
surrunding | 2f0120000800ffffe80302ff000000ff00000000000000000000000000000000000000000000000000000000000000 |
impact | 2f0120000900ffffe80303ff000000ff000000ff000000000000000000000000000000000000000000000000000000 |
buffer | 2f0120000a00ffffd00702ff000000ff00000000000000000000000000000000000000000000000000000000000000 |
refresh | 2f0120000b00ffff2c0100000000000000000000000000000000000000000000000000000000000000000000000000 |
bounce | 2f0120000c00ffffdc0500000000000000000000000000000000000000000000000000000000000000000000000000 |
Color and flicker speed analysis.
There are three types of speeds in the device, defined in the first 22 bytes
Speed | Value HEX |
LOW | 2f0120000c00ffffd00701 |
MEDIUM | 2f0120000c00ffffdc0501 |
HIGH | 2f0120000c00ffffe80301 |
Colors can be represented after this string as a hexadecimal value, this takes six bytes, e.g. the color magenta ff00ff
.
2f0120000c00ffffdc0501ff00ff000000000000000000000000000000000000000000000000000000000000000000
Finally you can make the combinations and control the device at will.