pyluba
pyluba copied to clipboard
02JanDal
Reverse engineer the BLE interface
Fantastic to see this project kicking off - thank you for making a start 🙇🏻♂️
I'm going to experiment with the Android Bluetooth HCI snoop logs this evening to see if exposes anything interesting.
I'll report back what I find!
OK, I've successfully captured the packets going back and forth between my phone and Luba during the following actions:
- App startup
- Auto "pile down" (AKA automatic disconnection from the charging station. Clearly a translation issue in the app)
- Manual drive forward
- Manual drive backward
- Manual drive left
- Manual drive right
- Auto return to charger
I can see those various instructions in the logs, but not yet figured out the structure of the protocol sitting more broadly around those specific instructions.
I'll keep working on this and report back as I learn more.
I'm a little reluctant to share the raw logs at the moment because I don't yet know how much personal information is included - probably a lot of GPS location data etc.
Oh! And I should mention that I definitely don't want to be "claiming" this bit of the reverse engineering for myself! Please, please contribute if you can!
Awesome! Based on the naming of a few of the classes in the APK I think it might be encoding the data using ProtocolBuffers, so that might be a format to consider.
If you run into any fields called "productKey", "productSecret" or "deviceName" (or some variation thereof) please let me know, they seem to be required to control the Luba via the cloud and I suspect that they are somehow exchanged over BLE.
Aha! Yes, it seems the messages are definitely encoded using Protobuf - an excellent hint.
I can definitely see a packet coming from Luba to the phone during the app start-up which gives the unique name of the Luba (i.e. "Luba-ABCDEFG") alongside an additional 11 character alphanumeric string. I wonder if that might be your "deviceName" and "productSecret"?
How does the luba update the firmware? Is it over bluetooth? I'm still waiting on my luba, but i've recently done a lot of bluetooth sniffing from iphone and android (android has made it a bit harder by requiring you output a bug report to get the log).
I don't know this for certain, but observing from the outside during my own experience of updating the firmware, I believe the phone (via Bluetooth) instructs the Luba to pull the update and then the Luba downloads it directly via its own WiFi connection, probably reporting progress via Bluetooth back to the phone.
Certainly the WiFi and Bluetooth both play a role in the update because both the following conditions must be true for a firmware update to succeed:
- Luba has strong direct WiFi connection
- Strong Bluetooth connection between phone and Luba
@oliverparis Manually went through the protobuf parser in the APK and got a protobuf schema that seems to be working for the few messages I've managed to intercept over MQTT, just committed the files to the repo.
You can use the command here and see if it works for your messages as well.
For example, the base64 encoded message CPMBEAEYByACKJOTAjABYgQiAgg8 corresponds to:
root:
1 msgtype = EMBED_DRIVER
2 sender = MAINCTL
3 receiver = MOBILEAPP
4 msgattr = RESP
5 seqs = 35219
6 version = 1
12 subMsg = MctlDriver:
4 subDrvMsg = DrvKnifeHeight(1 knifeHeight = 60)
(for some reason the current knife height is broadcast over MQTT very frequently...)
