Introduction: I come to this problem without fully familiarizing myself with the Bluetooth stack and protocols, so this may require several rounds of editing, as errors were detected in my assumptions.
I am trying to connect to a Bluetooth device, Scosche myTREK Pulse Monitor . I was able to connect to the device using the βofficialβ Android app, and I captured the output of the Bluetooth package using hcidump . I can read and understand the connection process through link exchange; however, the device then sends an HCI Encrypt Change event, after which most (but not all) packets are marked as ACL packets and are difficult to interpret.
The main question is: Does Bluetooth encrypt data and is there a way to decrypt it? Is this related to switching to ACL packets?
Here is an example of the output package provided by hcidump for this connection, starting with passing the link key. ( > refers to monitor data transfer)
> HCI Event: Link Key Request (0x17) plen 6 0000: ** ** ** ** ** ** ?????? < HCI Command: Link Key Request Reply (0x01|0x000b) plen 22 0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ??????????????? 0010: ** ** ** ** ** ** ?????? > HCI Event: Command Complete (0x0e) plen 10 0000: 01 0b 04 00 ** ** ** ** ** ** ....?????? > HCI Event: Encrypt Change (0x08) plen 4 0000: 00 0c 00 01 .... > ACL data: handle 12 flags 0x02 dlen 12 L2CAP(s): Connect req: psm 1 scid 0x0040 < ACL data: handle 12 flags 0x00 dlen 16 0000: 0c 00 01 00 03 02 08 00 40 00 40 00 01 00 00 00 ........@. @..... < ACL data: handle 12 flags 0x00 dlen 10 0000: 06 00 01 00 0a 01 02 00 02 00 .......... > HCI Event: Number of Completed Packets (0x13) plen 5 0000: 01 0c 00 02 00 ..... > ACL data: handle 12 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x0000 < ACL data: handle 12 flags 0x00 dlen 16 0000: 0c 00 01 00 03 02 08 00 40 00 40 00 00 00 00 00 ........@. @..... < ACL data: handle 12 flags 0x00 dlen 12 0000: 08 00 01 00 04 02 04 00 40 00 00 00 ........@... > HCI Event: Number of Completed Packets (0x13) plen 5 0000: 01 0c 00 02 00 ..... > ACL data: handle 12 flags 0x02 dlen 16 L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4 MTU 48 < ACL data: handle 12 flags 0x00 dlen 18 0000: 0e 00 01 00 05 03 0a 00 40 00 00 00 00 00 01 02 ........@....... 0010: 30 00 0. > ACL data: handle 12 flags 0x02 dlen 14 L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 0 Success > ACL data: handle 12 flags 0x02 dlen 36 L2CAP(d): cid 0x0040 len 32 [psm 0] 0000: 06 00 01 00 1b 35 11 1c 00 00 00 00 de ca fa de .....5......??Β·? 0010: de ca de af de ca ca fe 00 26 35 03 09 00 04 00 ???Β»????.&5..... < ACL data: handle 12 flags 0x00 dlen 33 0000: 1d 00 40 00 07 00 01 00 18 00 15 35 13 35 11 09 ..@........5.5.. 0010: 00 04 35 0c 35 03 19 01 00 35 05 19 00 03 08 12 ..5.5....5...... 0020: 00 . > HCI Event: Number of Completed Packets (0x13) plen 5 0000: 01 0c 00 02 00 ..... > ACL data: handle 12 flags 0x02 dlen 12 L2CAP(s): Disconn req: dcid 0x0040 scid 0x0040 < ACL data: handle 12 flags 0x00 dlen 12 0000: 08 00 01 00 07 04 04 00 40 00 40 00 ........@. @. > ACL data: handle 12 flags 0x02 dlen 12 L2CAP(s): Connect req: psm 3 scid 0x0041 < ACL data: handle 12 flags 0x00 dlen 16 0000: 0c 00 01 00 03 05 08 00 40 00 41 00 00 00 00 00 ........@.A..... > HCI Event: Number of Completed Packets (0x13) plen 5 0000: 01 0c 00 02 00 ..... > ACL data: handle 12 flags 0x02 dlen 16 L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4 MTU 895 < ACL data: handle 12 flags 0x00 dlen 18 0000: 0e 00 01 00 05 06 0a 00 41 00 00 00 00 00 01 02 ........A....... 0010: 7f 03 .. < ACL data: handle 12 flags 0x00 dlen 16 0000: 0c 00 01 00 04 03 08 00 41 00 00 00 01 02 f5 03 ........A.....?. > HCI Event: Number of Completed Packets (0x13) plen 5 0000: 01 0c 00 02 00 ..... > ACL data: handle 12 flags 0x02 dlen 18 L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 4 MTU 1013
At this point, the payload supplied by the device varies greatly between runs, and even more so within a single run. I left the rest of the magazine in pastebine for short: Link
source share