How to hack the Black Shark MagCooler 3Pro via BLE(Bluetooth Low Energy)

I recently acquired a device that I use, to cool my iPad when I play call of duty mobile, above all, it has called me. I have been very interested in this device because it has a variety of modifications, especially in terms of temperature, fan speed and led lights control, all through BLE, previously I had done some BLE research, especially in a smartwatch purchased on aliexpress where I detail the steps I used for the discovery of UUID, characteristics and payloads load, this time we will do a different process using common use tools such as hcitool, gatttool.

Recognition

For this exercise I will be using an ubertooth and a raspberry pi.

We will start by using hcitool to scan nearby BLE devices.

sudo hcitool lescan

You can see the target device Black Shark MagCooler 3Pro and the corresponding mac address 04:33:85:99:4C:D0 important information when connecting to the device.

04:33:85:99:4C:D0 Black Shark MagCooler 3Pro

One of the important steps is to enumerate the features that the device has active to communicate, so we will use the blemon module in iOS to trace the BLE frames.

frida -U -l frida/blemon.js -f com.blackshark.peripheral.community

Once the traffic has been intercepted, we begin to review the payload sent to turn the LEDs on and off.

[BLE Write  =>] UUID: A001 data: 0x0506000000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Notify <=] UUID: A002 data: 0xlength=10,bytes=0x8a060000010300d60000
[BLE Write  =>] UUID: A001 data: 0x0501080001

We see that the UUID for turning the led on and off is A001 and the paylaods are the same as always, so there is no encryption involved.

Using gatttool we can list these features, let’s see.

gatttool -b 04:33:85:99:4c:d0 -I
┌──(kali㉿kali-raspberry-pi)-[~/Desktop/Magcooler]
└─$ gatttool -b 04:33:85:99:4c:d0 -I
[04:33:85:99:4c:d0][LE]> connect
Attempting to connect to 04:33:85:99:4c:d0
Connection successful
[04:33:85:99:4c:d0][LE]> characteristics 
handle: 0x0002, char properties: 0x12, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb
handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb
handle: 0x0006, char properties: 0x02, char value handle: 0x0007, uuid: 00002a04-0000-1000-8000-00805f9b34fb
handle: 0x0009, char properties: 0x20, char value handle: 0x000a, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x000d, char properties: 0x02, char value handle: 0x000e, uuid: 00002a50-0000-1000-8000-00805f9b34fb
handle: 0x0010, char properties: 0x06, char value handle: 0x0011, uuid: 00010203-0405-0607-0809-0a0b0c0d2b12
handle: 0x0014, char properties: 0x04, char value handle: 0x0015, uuid: 0000a001-0000-1000-8000-00805f9b34fb
handle: 0x0016, char properties: 0x10, char value handle: 0x0017, uuid: 0000a002-0000-1000-8000-00805f9b34fb
[04:33:85:99:4c:d0][LE]> 

Let’s start with basic functions.

Switching LEDs on and off.

To manipulate the switching on and off of the LEDs we can use the following collected data.

handle: 0x0014, char properties: 0x04, char value handle: 0x0015, uuid: 0000a001-0000-1000-8000-00805f9b34fb

With this information, using gatttool we can send the commands to turn the LED on and off.

gatttool -b 04:33:85:99:4c:d0 --char-write-req -a 0x0015 -n 0501080000

After analyzing the functions, we have the following table that describes each of the functions that the device has.

COMMANDSVALUE HEX
Overclocking Mode0502000032
Mute Mode050200005b
Intelligence Mode05020000fa
Led ON0501080001
Led OFF0501080000
Stop ELICES0502000000

We were also able to analyze the transmission mode of the LEDs that are defined in this table.

LEDS MODEVALUE HEX
streamer2f0120000200ffff100e00000000000000000000000000000000000000000000000000000000000000000000000000
Breathe2f0120000300ffff636301ff0000000000000000000000000000000000000000000000000000000000000000000000
starlight2f0120000400ffff2c0101ff0000000000000000000000000000000000000000000000000000000000000000000000
flying ring2f0120000500ffffd00701ff0000000000000000000000000000000000000000000000000000000000000000000000
chase2f0120000700ffff580202ff000000ff00000000000000000000000000000000000000000000000000000000000000
surrunding2f0120000800ffffe80302ff000000ff00000000000000000000000000000000000000000000000000000000000000
impact2f0120000900ffffe80303ff000000ff000000ff000000000000000000000000000000000000000000000000000000
buffer2f0120000a00ffffd00702ff000000ff00000000000000000000000000000000000000000000000000000000000000
refresh2f0120000b00ffff2c0100000000000000000000000000000000000000000000000000000000000000000000000000
bounce2f0120000c00ffffdc0500000000000000000000000000000000000000000000000000000000000000000000000000

Color and flicker speed analysis.

There are three types of speeds in the device, defined in the first 22 bytes

SpeedValue HEX
LOW2f0120000c00ffffd00701
MEDIUM2f0120000c00ffffdc0501
HIGH2f0120000c00ffffe80301

Colors can be represented after this string as a hexadecimal value, this takes six bytes, e.g. the color magenta ff00ff.

2f0120000c00ffffdc0501ff00ff000000000000000000000000000000000000000000000000000000000000000000

Finally you can make the combinations and control the device at will.


Leave a Reply

Your email address will not be published. Required fields are marked *