BT_Sentry : Bluetooth Sniffing

mcb1

27 Jun 2018

This is the 8th of my Blogs for the Bluetooth Unleashed Design Challenge

The other posts are here :-

BT_Sentry Introduction

BT_Sentry : Zero Emission Detection

BT_Sentry : Data Transmission

BT_Sentry : Sentry Power

BT_Sentry : Raspberry Pi

BT_Sentry : Bluetooth Options

BT_Sentry : Software

Concept

The idea is to detect the bluetooth transmitted from the vehicle and signal other Home Automation functions.

If the vehicle is known then it can open the garage door, and inform the home owner that xx is home.

Hardware

The detection point needs to be at the start of the driveway, and because there is no power source, this will need to be low power with solar charging.

The PSOC range seems a very good fit, but because of the timeline and my need to upskill, the inital design will be Arduino based and some form of RF transmitter/transceiver.

Adding a vehicle detection loop or beam is necessary to ensure those vehicles without bluetooth will also trigger the system.

So last week I was over on the West Coast looking at Vertigo Technologies CNC Routers. (https://vertigotech.co.nz/ )

I do like their Haas Vertical Mill, and while it has nothing to do with this challenge, as a maker you can't help be in awe of it.

The rear shows just how serious it is. and below ....

A few minutes on Fusion360 and Brett knocked up this for the publisher ... he even double sided it while he was removing the excess material.

So after a few days away last week, and a sudden change in personal circumstances, I'm really behind the eight ball.

I'm currently staying in town at my sons place, to help out, and I've had to pack up a box of bits, copy the files onto a portable drive, and borrow a desk.

I decided that the BT sniffing is going to get done, regardless of the other bits/parts/aspects.

HC05 Modules

While I was ordering parts, I ran across some HC05 and HC06 Bluetooth Modules.

They appear from different vendors, but this particular one was rather quick at getting them here.

https://www.aliexpress.com/item/HC05-HC-05-master-slave-6pin-JY-MCU-anti-reverse-integrated-Bluetooth-serial-pass-throug…

https://www.aliexpress.com/item/Free-shipping-1PCS-HC06-HC-06-Wireless-Serial-4-Pin-

These modules operate as if they are a modem.

You issue Hayes style commands (AT <parameter>) and they respond, or in some cases come back with an error.

In order to issue commands, you need to put them into command mode, and in the case of the HC05 I have, press and hold the button, while applying power.

It should flash at a 2 second rate.

Not so easy for the HC06 modules I received, and despite many attempts, I gave up.

I searched the internet for some sketches, and found that in command mode, they use 38400 baud, while in data mode they use 9600 baud .... great.

I ran across several posts that simply use the Arduino as a serial to serial buffer by using softserial and the terminal.

While I tried that, in the end I connected it to an USB to FTDI and simply plugged that in instead of the Arduino, pointed the IDE at that port, and used the terminal windows in the IDE to talk directly to the HC05 via the USB to FTDI.

Wiring them up and making them communicate is a bit of luck, hope and the odd frustration.

I did find this list of commands useful, but not exactly easy to decide what I should set and what I shouldn't.

https://www.itead.cc/blog/more-powerful-serial-port-bluetooth-module-masterslave

There is a pdf version but it doesn't give much more.

ftp://imall.iteadstudio.com/BLOG/2010_07/More_Powerful_Serial_Port_Bluetooth_Module_MasterSlave.pdf

Another source of information is here

https://www.slideshare.net/wgarcia02/hc-05at-commandset

and Terry King has some here

https://arduino-info.wikispaces.com/BlueToothCommandUtility

Finally

Not to be outdone, I kept looking and ran across this

Braindump: Bluetooth, Teensy and Linux

Finally a set of instructions and some other mystery settings that I managed to get working.

While I didn't use his sketch and Teensy, I did use the command settings.

Strangely you seem to be able to issue some commands when it's in Data made.

I'm presuming that until you actually pair a device, it isn't in data made, rather like the old modem days where until the far end answers and the two shake hands, it still accepts commands.

Commands

I imagine each unit may be different, so I'll list the settings I used, and the response received.

AT
OK
AT+VERSION?
+VERSION:2.0-20100601
OK
AT+INIT
( .... LED changes to flashing fast and nothing on the terminal ....)
AT+CLASS=0
AT+ROLE=1
OK
AT+ROLE?
+ROLE:1
OK
AT+IAC?
+IAC:9e8b33
OK
AT+INQM?
+INQM:1,9,48
OK
AT+PSWD?
+PSWD:1234
OK
AT+UART?
+UART:38400,0,0
OK
AT+CMODE=1
OK
AT+CMODE?
+CMOD:1
OK
AT+BIND=0
OK
AT+BIND?
+BIND:0:0:0
OK
AT+SNIFF?
+SNIFF:0,0,0,0
OK
AT+SENM?
+SENM:0,0
OK
AT+RMAAD    (this clears any history of connected devices)
OK
AT+ADCN?
+ADCN:0
OK
AT+MRAD?
+MRAD:0:0:0
OK
AT+INQ

So with a few commands setting up the unit, it will transmit and make itself known to other devices.

Once you've entered the AT+INIT, it drops out of command mode, and some settings require going back into command mode.

After playing with the above I was able to make it discoverable to my phone, and I noted that the unit had in fact picked up my phones BT MAC address.

SO it looks like things are heading in the right direction.

Repower

Once you drop the power, the HC05 goes back into the INITIALIZED state.

In order to make it work, you need to issue the AT+INIT command

Typing AT+STATE? will come back with +STATE:INQUIRING

I'm not sure what I'm missing but the phone doesn't discover it, but the HC05 module does discover the phone.

This is looking like it works the way I want, but there are some commands to sort out, and the order.

When you re-power it, it doesn't enter command mode.

SO I'm going to do the hardware thing of pulling pins high before powering the module.

You need to issue AT+INIT for it to start running in the mode you've set (It does seem to store the mode).

Then you need to remove any old MAC address it knows about, before checking if it's found something.

Until I find another BT device I'm not going to know if my methods are correct or not.

SO these are the commands and order I'll be adding into a sketch.

AT+BIND=0
OK
AT+INIT
At+STATE?
+STATE:INQUIRING
OK

Then start issuing the AT+BIND? to check for a BT device

AT+BIND?
+BIND:5409:55:6e4ae0
OK

if a BT device is detected, then issue AT+BIND=0 and repeat checking with AT+BIND?

MAC Address

The MAC address output is not straight forward.

This result above (5409:55:6e4ae0) is okay, but the HC05 will truncate leading zeros and you can end up with

AT+BIND?
+BIND:18:e5:43e8c
OK

Apparently the 9 digits above translate to :-

00:18:e5:04:3e:8c

SO it looks like there is some string manipulation to be performed.

I'm thinking that I'll manipulate and send it as a single 12 digit number, which means it can be used to add to file names without further manipulation.

I'm happy that I have something that works.

It might need some tweaking but I can move forward now to the next phase.

Mark

Top Comments

fmilburn over 6 years ago in reply to mcb1

I’m interested to see what you are able to do with the microwave detectors...
- Cancel
- Vote Up +3 Vote Down
- Sign in to reply
- More
- Cancel
Jan Cumps over 6 years ago in reply to mcb1

I’ve tried o find the lower level api for this device. Although it’s labeled as open source, the underlying libs are only available as precompiled binary blobs. strange ...
- Cancel
- Vote Up +3 Vote Down
- Sign in to reply
- More
- Cancel
mcb1 over 6 years ago

RFDuino
An update for those following this.

I dug out my RFduino and hooked them up.
While they look like a great device with plenty of options, the BLE stack commands and data is rather limited.

I was unable to find any setting to give the MAC address, so they aren't of use in my application.
The datasheet for the BLE module is here http://www.rfdigital.com/wp-content/uploads/2015/08/RFD22301.Data.Sheet.08.20.15_4.36PM.pdf

Jan Cumps
They are much lower power consumption than many of the other offerings, so it's a pity.

The good news is my Microwave detectors (from the second source) arrived just now.

That means I can do some experimenting, and try out some ideas I have for the enclosure.

Mark

I thought this might amuze some ....
- Cancel
- Vote Up +7 Vote Down
- Sign in to reply
- More
- Cancel
mcb1 over 6 years ago

Thanks genebren

Luckily I had a chance to read shabaz post about Swann Cameras.
Swann cameras may be worth avoiding for a while..

ntewinkel referenced issues with tapplock, and in the article they mention BT and RFduino.
https://blog.hackster.io/the-tapplock-a-typical-iot-problem-child-60dff98a0407

I happen to have a couple of RFduinos at home, and maybe the BT they have will be easier than the HC05.
(Job for later today ...)

Mark
- Cancel
- Vote Up +4 Vote Down
- Sign in to reply
- More
- Cancel
DAB over 6 years ago

Nice update Mark.

I agree, the CNC machine looks interesting.

DAB
- Cancel
- Vote Up +3 Vote Down
- Sign in to reply
- More
- Cancel