Technology /
23 Jun 2022
Notes on Bluetooth trackers and beacons
Notes taken while researching the basics of Bluetooth / BLE trackers and beacons, in mid-2022.
General
- Bluetooth Low Energy (BLE) is used by most cheap tracking devices including Tile
- Not sure what Apple AirTags use (something proprietary?)
- BLE is conceptually similar to RFID but it’s active rather than passive and requires a battery
- Not sure if it’s query/response or continually transmitting an ID…
- Interestingly, it looks like it should be possible to build a passive (remotely powered) BLE tag
- https://ieeexplore.ieee.org/document/7898833
- Doesn’t seem like there are any in production, or any systems that would read them, though… but a neat idea
- There are multiple competing data formats for BLE “beacons” (not sure if they are the same as tags)… the Eddystone format is backed by Google
Presence Detection for Home Automation
- Room-level presence detection is possible with Raspberry Pi (3 or later)
- Most ESP32 (not ESP8266!) boards can do BLE and can act as a “base station” or detector
- Blecker runs on ESP32 and sends MQTT messages when a tracker is detected
- https://github.com/redakker/blecker
- It has Home Assistant integration and auto-detect/setup features
- ESPHome supports BLE base station:
- Not really sure about ESPHome vs Blecker pro/cons
- Blecker runs on ESP32 and sends MQTT messages when a tracker is detected
- Current-generation phones should also be able to read BLE tags…
- Privacy implications
- If you’re carrying around a tag that can be used for presence detection by your HA system (because it’s constantly transmitting a fixed ID or MAC-like address or whatever), anyone else with a BLE receiver can also track you…
- It might be better to use WiFi / DHCP rather than BLE, since that requires your phone (or laptop or whatever) to associate with the local WiFi AP and request an IP address
- In general though, I’m not convinced that someone carrying around a modern (2022) phone and laptop in their default configurations isn’t trackable anyway, i.e. it would take work for a normal person to manage their cyber-EM signature down to something that wasn’t uniquely identifying and trackable
Milwaukee “Tick” Asset Trackers
I got a free one of these to play around with, so naturally, I played around with it.
- Marked “Contains IC: 5123A-BGTBLE113”
- The BLE113 is a fairly common BLE chip from Silicon Labs
- https://www.silabs.com/documents/public/data-sheets/BLE113-DataSheet.pdf
- Based on the Texas Instruments TI CC2541 which itself uses the 8051 CPU (3.3V part)
- Described as “8051-compatible”
- Sample unit:
[SERIAL REDACTED]- Polled it using an app on my iPhone SE, which contains a BLE-compatible BT chipset
- Has a Device UUID
- Also a Service UUID in the “Advertisement”
- The advertised Service ID leads to a ‘Custom Service’
- Firmware Revision String
- Client Characteristic Configuration
- The advertised Service ID leads to a ‘Custom Service’
- Primary Service is “Device Information”
- Serial Number String: Set to
123456789 - Model Number String:
BLE113 - Manufacturer Name String:
MILWAUKEE TOOL
- Serial Number String: Set to
- Does not stay connected for very long! Maybe 10s at most before it disconnects, presumably to save battery power
Linux Tools
- Avoid any scripted use of hcitool or hcidump … they are not meant for continuous operation
- Instead: https://ukbaz.github.io/howto/beacon_scan_cmd_line.html
- But hcitool is still usable for testing… seems to work okay, but not guaranteed
- To scan using
bluetoothctl(modern way)- bluetoothctl syntax has changed from what is in that article:
$ bluetoothctl
[bluetooth]# menu scan
[bluetooth]# clear
SetDiscoveryFilter success
[bluetooth] back
[bluetooth] scan on
- Bluepy is a Python utility… pip3 installs 1.3.0 (23 Jun 2022)
- Bleah has been deprecated and now replaced by “bettercap”
Bettercap Sniffing Tool on Linux
- Technically Bettercap runs on Windows and Mac OS but not for BLE, only IP and USB
- Linux wins again!
- Bettercap is a much heavier multipurpose tool than Bleah is/was, but it’s under active development
- Not in debian repositories
- Looks like easiest way is to run via Docker: https://www.bettercap.org/installation/
- Command for running Bettercap (shows help… just an example):
docker run -it --privileged --net=host bettercap/bettercap -h - Docs on running inside Docker: https://gist.github.com/siddolo/51c47cfd3479e99126ff9b93f94d8924
- Created a script in
~/bin/bettercap-start.shthat spins up the container for interactive mode + web UI - Use with BLE specifically: https://www.bettercap.org/modules/ble/
- To make list of devices stop jumping around, sort by column that’s not RSSI
- Sometimes ble.recon stops responding and solution is to quit (in terminal window) and restart container
- Process (tested by looking for the MAC address, which is vendor “BlueGiga”)
- Start scan:
ble.recon on - Stop scan:
ble.recon off - Show all devices found so far:
ble.show - Query device:
ble.enum [MAC ADDR](MAC address redacted, you need to enter it)- This always returns a connection timeout, for some reason…
- Start scan:
- This older command seems to work and connect:
sudo hcitool lecc 88:6b:00:00:00:00(using the real MAC address)- But only sometimes..? Not sure why. Maybe battery in the tracker is low?
- Could also be something wrong with the Docker version – although same thing happens with Dev image
- Going to try building from GitHub and seeing how that works before reporting a problem
- Github version reports exactly the same value as Docker (bettercap/bettercap) version; bettercap/dev is actually older!
- They are building with a slightly newer version of Go than I am… but doesn’t seem like it should matter
Conclusion
Seems like a neat technology, but I’m not sure I have any immediate use for it right now. Apple’s Airtags apparently use a form of BLE, but the tags (when paired) don’t just bleat out the same code each time, they use some sort of psuedo-random rolling code system, where only Apple knows the seed value. This prevents anyone with an ESP32 from being able to track you every time you pass a fixed point in space, which would otherwise be trivial. From what I can tell, Tile trackers do the same or a very similar thing, but the cheaper tags used for tracking tools, managing inventory, etc. don’t — they just spit out the same information in response to every inquiry, basically like a self-powered RFID chip.
An interesting tool to keep in the toolbox, though. It would definitely be good if you were trying to keep track of loaner devices on a temporary basis, e.g. if you wanted to hand out some sort of hardware tracker device (boat race, orienteering, geocaching, whatever) and make sure you got them back, or wanted to be able to automatically do ‘check-ins’ as people pass specific points.