Capturing the perfect (radio) wave

Lars Knudsen šŸ‡©šŸ‡° - Oct 30 - - Dev Community

Introduction

When developing and debugging bluetooth solutions, it is often necessary to know exactly what is communicated in the air between connected devices.

For this purpose, a Bluetooth Protocol Analyzer (or Bluetooth Sniffer) is needed and in this post, Iā€™ll show you how to get started, using the RFcreations mini-moreph together with the blueSpy software, available for download on the RCcreations website.

The software is available for Linux, Windows and Mac. A big plus for me, as I am using Linux on my main development machine.

Getting started with Bluetooth sniffers

Even though I have been developing software in general for almost 40 years and wireless related for the last 10, only recently, Iā€™ve been introduced to using Bluetooth protocol analyzers to debug Bluetooth solutions and this has been a great eye-opener for me (comparable to when I got my first oscilloscope after having done electronics ā€œin the blindā€ for some years).

I am not an expert (yet) but find the blueSpy software very enjoyable to use and even though the RFcreations solution can capture and analyze very advanced stuff, Iā€™m happy to see that the UI is snappy and the UX being very intuitive. This allows me to explore and learn while using the tool and not being required to look through a bunch of documentation at the same time.

Our first capture

I thought about what would be a good first capture, and remembered, I recently made a very simple Bluetooth Low Energy demo using Zephyr and Web, covered in an earlier post.

SimpleWebZephyr image

After powering up the Nordic Semiconductor nRF52840 Dongle, I connected the mini-moreph via USB and started the blueSpy software.

Initially, the screen looks like this:

blueSpy start screen
Full size

NOTE: If the device is not automatically found and you are using Linux, remember to add a udev rule to allow userspace access to the device (see the PDF manual included with the software):

SUBSYSTEM=="usb", ATTRS{idVendor}=="2bbd", ATTRS{idProduct}=="00f3", MODE="0666"
Enter fullscreen mode Exit fullscreen mode

Starting the capture

Click the red capture button to start capturing all traffic in the air. You should now see the ā€œFilter devicesā€ tab to the right quickly being filled with devices found around the analyzer. At first it can look a bit chaotic, but clicking the search button in the upper right corner allows you to write a partial name, which should quickly bring the device of interest to the top of the table.

NOTE: Iā€™ve also disabled WiFi capture and a few others in this example (keeping the summary view clean and focused).

Filtering summary
Full size

Now click the check mark in the ā€œShownā€ column for that device and see the filtered traffic starting to flow in the summary panel.

Filter device
Full size

We quickly see a bunch of advertising data, emitted from the ā€˜Simple Web Zephyrā€™ dongle.

Connecting from Web

Now, from a phone, I open the test web page for the project and request a connection to the dongle. Then we see the following initial handshake in the capture summary, including discovery of the service requested from the web application.

Connection and discovery
Full size

If I try to press and release the button on the nRF Dongle, I see two notifications being sent from the dongle. The first with the payload value 0x01 (indicating "Pressed")...

Pressed notify
Full size

...and the second with the payload value 0x00 (indicating "Released") - just as expected:

Released notify
Full size

From the web application, I now select the color red (payload: [0xFF, 0x00, 0x00])ā€¦

Write red 0xff,0x00,0x00
Full size

ā€¦followed by blue (payload: [0x00, 0x00, 0xFF])ā€¦

Write blue 0x00,0x00,0xff
Full size

Again, the data captured is as expected, but itā€™s nice to verify :)

Disconnecting the web application from the dongle lets the dongle firmware go back to advertising mode, which we verify in the summary pane.

Disconnect, advertising
Full size

Storing capture files

Sometimes, capture files can become quite large - especially if the capture was made in an area with a lot of wireless traffic. To help solve this problem, I found a very neat feature in the blueSpy software file menu, called ā€œSave Advancedā€¦ā€, which allows you to store just the packets shown in the current filtered summary.

Save capture
Full size

In my case, this brought the capture file size down to ~2Mb (compared to ~90Mb for the full capture).

Conclusion

I had great fun, finally being able to see the Bluetooth traffic in the air after developing and debugging Bluetooth solutions ā€œin the blindā€ for years - and blueSpy made it enjoyable.

In my next post, Iā€™ll try to capture some LE Audio Broadcast sources to see how the analyzer handles those.

. . . . . . . . . . . .