低功耗蓝牙BLE初识与分析
技术对比
技术规规范 BLE 经典蓝蓝牙
频率 2.4GHz 2.4GHz
作用距离 100m 10m
响应延时 1-3ms 100ms
安全性性 128-bit AES 64/128-bit
能耗耗 1-50% 100%
传输数据速率 1Mb/s 1-3Mb/s
协议技术特点
免费的ISM频段:2.400-2.4835GHz
分为40个频频段段:0–39(每份的带宽为2MHz)
跳频通信(hopping)
广播频段 数据频段
3信道37 38 39 37信道 0-36
广播频段与数据频段跳频
具体频段:
寻找身边的设备
最简单的方法 iPhone(LightBlue、BLE Finder …)
iPhone工具
蓝牙规格
规格名称 规格类型 分配编码 规格级别
警报类别ID org.bluetooth.characteristic.alert_category_id 0x2A43 已采纳
警报类别ID位掩码org.bluetooth.characteristic.alert_category_id_bit_mask0x2A42已采纳
警报级别org.bluetooth.characteristic.alert_level0x2A06已采纳
警报通知控制点org.bluetooth.characteristic.alert_notification_control_point0x2A44已采纳
警报状态org.bluetooth.characteristic.alert_status0x2A3F已采纳
Appearance org.bluetooth.characteristic.gap.appearance0x2A01 已采纳
电池电量org.bluetooth.characteristic.battery_level0x2A19已采纳
血压功能org.bluetooth.characteristic.blood_pressure_feature0x2A49已采纳
血压测量org.bluetooth.characteristic.blood_pressure_measurement0x2A35已采纳
人体传感器定位org.bluetooth.characteristic.body_sensor_location0x2A38已采纳
引导键盘输入报告org.bluetooth.characteristic.boot_keyboard_input_report0x2A22已采纳
引导键盘输出报告org.bluetooth.characteristic.boot_keyboard_output_report0x2A32已采纳
引导鼠标输入报告org.bluetooth.characteristic.boot_mouse_input_report0x2A33已采纳CSC功能org.bluetooth.characteristic.csc_feature0x2A5C已采纳
CSC测量org.bluetooth.characteristic.csc_measurement0x2A5B已采纳
当前时间org.bluetooth.characteristic.current_time0x2A2B已采纳
自行车功率控制点bluetooth.characteristic.cycling_power_control_point0x2A66已采纳自行车功率特征org.bluteooth.characteristic.cycling_power_feature0x2A65已采纳
自行车功率测量org.blueeooth.cycling_power_measurement0x2A63已采纳
自行车功率矢量org.bluetooth.characteristic.cycling_power_vector0x2A64已采纳
日期时间org.bluetooth.characteristic.date_time0x2A08已采纳
星期日期时间org.bluetooth.characteristic.day_date_time0x2A0A已采纳
星期org.bluetooth.characteristic.day_of_week0x2A09已采纳DeviceNameorg.bluetooth.characteristic.gap.device_name0x2A00已采纳
日光节约时间偏移org.bluetooth.characteristic.dst_offset0x2A0D已采纳
准确时间256org.bluetooth.characteristic.exact_time_2560x2A0C已采纳
固件修订字符串org.bluetooth.characteristic.firmware_revision_string0x2A26已采纳
血糖功能org.bluetooth.characteristic.glucose_feature0x2A51已采纳
血糖测量org.bluetooth.characteristic.glucose_measurement0x2A18已采纳
血糖测量环境org.bluetooth.characteristic.glucose_measurement_context0x2A34已采纳
硬件修订字符串org.bluetooth.characteristic.hardware_revision_string0x2A27已采纳
心率控制点org.bluetooth.characteristic.heart_rate_control_point0x2A39已采纳
心率测量org.bluetooth.characteristic.heart_rate_measurement0x2A37已采纳
HID控制点org.bluetooth.characteristic.hid_control_point0x2A4C已采纳
HID信息org.bluetooth.characteristic.hid_information0x2A4A已采纳
IEEE11073-20601监管认证数据表org.bluetooth.characteristic.ieee_11073-20601_regulatory_certification_data_list0x2A2A已采纳
中间体套囊压力org.bluetooth.characteristic.intermediate_blood_pressure0x2A36已采纳
中间体温度org.bluetooth.characteristic.intermediate_temperature0x2A1E已采纳
LN控制点org.bluetooth.ln_control_point0x2A6B已采纳
LN功能org.bluetooth.characteristic.ln_feature0x2A6A已采纳
当地时间信息org.bluetooth.characteristic.local_time_information0x2A0F已采纳
定位和速度org.bluetooth.location_and_speed0x2A67已采纳
制造商名称字符串org.bluetooth.characteristic.manufacturer_name_string0x2A29已采纳
测量间隔org.bluetooth.characteristic.measurement_interval0x2A21已采纳
型号字符串org.bluetooth.characteristic.model_number_string0x2A24已采纳
导航org.bluetooth.characteristic.navigation0x2A68已采纳
新警报org.bluetooth.characteristic.new_alert0x2A46已采纳PeripheralPreferredConnectionParameters org.bluetooth.characteristic.gap.peripheral_preferred_connection_parameters0x2A04已采纳
PeripheralPrivacyFlag org.bluetooth.characteristic.gap.peripheral_privacy_flag0x2A02已采纳
PnPID org.bluetooth.characteristic.pnp_id0x2A50已采纳
定位质量org.bluetooth.position_quality0x2A69已采纳
协议模式org.bluetooth.characteristic.protocol_mode0x2A4E已采纳ReconnectionAddress org.bluetooth.characteristic.gap.reconnection_address0x2A03已采纳
记录存取控制点org.bluetooth.characteristic.record_access_control_point0x2A52已采纳
参考时间信息org.bluetooth.characteristic.reference_time_information0x2A14已采纳
报告org.bluetooth.characteristic.report0x2A4D已采纳
报告地图org.bluetooth.characteristic.report_map0x2A4B已采纳
振铃器控制点org.bluetooth.characteristic.ringer_control_point0x2A40已采纳
振铃器设定org.bluetooth.characteristic.ringer_setting0x2A41已采纳
RSC功能org.bluetooth.characteristic.rsc_feature0x2A54已采纳
RSC测量org.bluetooth.characteristic.rsc_measurement0x2A53已采纳
SC控制点org.bluetooth.characteristic.sc_control_point0x2A55已采纳
扫描间隔窗口org.bluetooth.characteristic.scan_interval_window0x2A4F已采纳
扫描刷新org.bluetooth.characteristic.scan_refresh0x2A31已采纳
传感器定位org.bluetooth.characteristic.sensor_location0x2A5D已采纳
序列号字符串org.bluetooth.characteristic.serial_number_string0x2A25已采纳ServiceChanged org.bluetooth.characteristic.gatt.service_changed0x2A05已采纳
软件修订字符串org.bluetooth.characteristic.software_revision_string0x2A28已采纳
获支持的新警报类别 org.bluetooth.characteristic.supported_new_alert_category0x2A47已采纳
获支持的未读警报类别org.bluetooth.characteristic.supported_unread_alert_category0x2A48已采纳
系统ID org.bluetooth.characteristic.system_id0x2A23已采纳
温度测量org.bluetooth.characteristic.temperature_measurement0x2A1C已采纳
温度类型org.bluetooth.characteristic.temperature_type0x2A1D已采纳
时间准确度org.bluetooth.characteristic.time_accuracy0x2A12已采纳
时间源org.bluetooth.characteristic.time_source0x2A13已采纳
时间更新控制点org.bluetooth.characteristic.time_update_control_point0x2A16已采纳时间更新状态org.bluetooth.characteristic.time_update_state0x2A17已采纳
日光节约时间的时间org.bluetooth.characteristic.time_with_dst0x2A11已采纳
时区org.bluetooth.characteristic.time_zone0x2A0E已采纳
射频功率org.bluetooth.characteristic.tx_power_level0x2A07已采纳
未读警报状态org.bluetooth.characteristic.unread_alert_status0x2A45已采纳
记忆码 UUID规格 UUID 参考规格
«设备名称» uuid16 0x2A00 蓝牙核心规格第3卷C部分第12.1节
«外观» uuid16 0x2A01 蓝牙核心规格第3卷C部分第12.2节
«外置设备隐私标志»uuid16 0x2A02 蓝牙核心规格第3卷C部分第12.3节
«重新连接地址» uuid16 0x2A03 蓝牙核心规格第3卷C部分第12.4节
«外置设备首选连接参数»uuid16 0x2A04 蓝牙核心规格第3卷C部分第12.5节
«服务更改» uuid16 0x2A05 蓝牙核心规格第3卷G部分第7.1节
UUID是“Universally Unique Identifier”的简称,通用唯一识别码的意思。对于蓝牙设备,每个服务都有通用、独立、唯一的UUID与之对应。
测试:小米手环2
lightblue已经根据uuid自动识别服务
可以修改Alert Level的值(为hex)使之震动
震动测试结果:1 图标为短信提醒 2 来电提醒 3 单纯震动(找手环功能)
还可修改系统时间等(这个功能是小米不开放的)....需要自己挖掘
以下待验证
嗅探BLE协议数数据
最经济的单一BLE分析
nRF51822芯片 Wireshark
详见KCON2017 BLE的PPT
攻击方式
被动嗅探,窃取BLE协议内的数据
重放攻击,冒名顶替,未授权的访问
中间人攻击,跨越BLE的通信距离,篡改数据
