I am confused with this issue. I have the following device (it is a Chinese smartwatch) with MAC address show up on blueman and bettercap but not on hcitool.
I use:
sudo hcitool lescan
LE Scan ...
C0:28:8D:D6:66:EA
C0:28:8D:D6:66:EA (unknown)
but the device MAC address of Q1 EB:15:0C:38:C9:B0 does not show up.
I try bettercap:
sudo bettercap
» ble.recon on
» [12:01:38] [ble.device.new] new BLE device Q1 detected as EB:15:0C:38:C9:B0 -77 dBm.
However, I also get:
when I do:
» ble.show
│ -76 dBm │ eb:15:0c:38:c9:b0 │ │ Limited Discoverable, BR/EDR Not Supported │ ✔ │ 12:05:38 │
» ble.enum eb:15:0c:38:c9:b0
[12:07:06] [sys.log] [inf] ble.recon connecting to eb:15:0c:38:c9:b0 ...
»
┌──────────────┬───────────────────────────────────────────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────┐
│ Handles │ Service > Characteristics │ Properties │ Data │
├──────────────┼───────────────────────────────────────────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────┤
│ 0001 -> 0004 │ Generic Attribute (1801) │ │ │
│ 0003 │ Service Changed (2a05) │ BCAST, READ, WRITE, NOTIFY, INDICATE, SIGN WRITE │ 00000000 │
│ │ │ │ │
│ 0005 -> 000f │ Generic Access (1800) │ │ │
│ 0007 │ Device Name (2a00) │ READ │ Q1 │
│ 0009 │ Appearance (2a01) │ READ │ Unknown │
│ 000b │ Peripheral Privacy Flag (2a02) │ READ │ Privacy Disabled │
│ 000d │ Peripheral Preferred Connection Parameters (2a04) │ READ │ Connection Interval: 224 -> 240 │
│ │ │ │ Slave Latency: 4 │
│ │ │ │ Connection Supervision Timeout Multiplier: 500 │
│ 000f │ 2aa6 │ READ │ 00 │
│ │ │ │ │
│ 0010 -> 0015 │ 6e400001b5a3f393e0a9e50e24dcca9e │ │ │
│ 0012 │ 6e400003b5a3f393e0a9e50e24dcca9e │ NOTIFY │ │
│ 0015 │ 6e400002b5a3f393e0a9e50e24dcca9e │ WRITE │ │
│ │ │ │ │
│ 0016 -> 002d │ Human Interface Device (1812) │ │ │
│ 0018 │ Protocol Mode (2a4e) │ READ, WRITE │ insufficient encryption │
│ 001a │ Report (2a4d) │ READ, WRITE, NOTIFY │ insufficient encryption │
│ 001e │ Report (2a4d) │ READ, WRITE, NOTIFY │ insufficient encryption │
│ 0022 │ Report (2a4d) │ READ, WRITE, NOTIFY │ insufficient encryption │
│ 0026 │ Report Map (2a4b) │ READ │ insufficient encryption │
│ 0028 │ Boot Mouse Input Report (2a33) │ READ, WRITE, NOTIFY │ insufficient encryption │
│ 002b │ HID Information (2a4a) │ READ │ insufficient encryption │
│ 002d │ HID Control Point (2a4c) │ WRITE │ │
│ │ │ │ │
│ 002e -> 0037 │ fee7 │ │ │
│ 0030 │ fec9 │ READ, NOTIFY │ ë150c8É° │
│ 0033 │ fea1 │ READ, INDICATE │ 07a001009e0100a00100 │
│ 0036 │ fea2 │ READ, WRITE, INDICATE │ Ð │
│ │ │ │ │
└──────────────┴───────────────────────────────────────────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────┘
However I am not sure what all this means. I find bettercap very confusing to follow.
» ^D
Are you sure you want to quit this session? y/n y
[12:08:07] [sys.log] [inf] ble.recon stopping scan ...
I also tried gattool:
sudo gatttool -t random -b EB:15:0C:38:C9:B0 -I
[EB:15:0C:38:C9:B0][LE]> sec-level low
[EB:15:0C:38:C9:B0][LE]> connect
Attempting to connect to EB:15:0C:38:C9:B0
Error: connect to EB:15:0C:38:C9:B0: Device or resource busy (16)
[EB:15:0C:38:C9:B0][LE]>
I am sorry but I am not sure what to do. I would like to read and write to this device if that is possible. I am on Fedora 33 Linux.
Thanks in advance for any help!
Thanks for the information with regard to bluetoothctl. So, I try this out and get:
$ sudo bluetoothctl
Agent registered
[Q1]# devices
Device EB:15:0C:38:C9:B0 Q1
Device E0:7B:1F:EB:C1:6C LH719
Device A4:C1:1C:F6:02:92 MS1020
[Q1]# connect EB:15:0C:38:C9:B0
Attempting to connect to EB:15:0C:38:C9:B0
Connection successful
But reading from here: https://budimir.cc/2020/02/27/ble-on-linux-with-bluetoothctl/ it appears that I should get far more information than the above.
However, I added:
[Q1]# menu gatt
Menu gatt:
Available commands:
-------------------
list-attributes [dev/local] List attributes
select-attribute <attribute/UUID> Select attribute
attribute-info [attribute/UUID] Select attribute
read [offset] Read attribute value
write <data=xx xx ...> [offset] [type] Write attribute value
acquire-write Acquire Write file descriptor
release-write Release Write file descriptor
acquire-notify Acquire Notify file descriptor
release-notify Release Notify file descriptor
notify <on/off> Notify attribute value
clone [dev/attribute/UUID] Clone a device or attribute
register-application [UUID ...] Register profile to connect
unregister-application Unregister profile
register-service <UUID> [handle] Register application service.
unregister-service <UUID/object> Unregister application service
register-includes <UUID> [handle] Register as Included service in.
unregister-includes <Service-UUID><Inc-UUID> Unregister Included service.
register-characteristic <UUID> <Flags=read,write,notify...> [handle] Register application characteristic
unregister-characteristic <UUID/object> Unregister application characteristic
register-descriptor <UUID> <Flags=read,write...> [handle] Register application descriptor
unregister-descriptor <UUID/object> Unregister application descriptor
back Return to main menu
version Display version
quit Quit program
exit Quit program
help Display help about this program
export Print environment variables
and do seem to get a list of services (which I will now investigate):
[Q1]# list-attributes
Primary Service (Handle 0x0100)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service002e
0000fee7-0000-1000-8000-00805f9b34fb
Tencent Holdings Limited.
Characteristic (Handle 0x7da4)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service002e/char0035
0000fea2-0000-1000-8000-00805f9b34fb
Intrepid Control Systems, Inc.
Descriptor (Handle 0x0015)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service002e/char0035/desc0037
00002902-0000-1000-8000-00805f9b34fb
Client Characteristic Configuration
Characteristic (Handle 0x9248)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service002e/char0032
0000fea1-0000-1000-8000-00805f9b34fb
Intrepid Control Systems, Inc.
Descriptor (Handle 0x0015)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service002e/char0032/desc0034
00002902-0000-1000-8000-00805f9b34fb
Client Characteristic Configuration
Characteristic (Handle 0xaf18)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service002e/char002f
0000fec9-0000-1000-8000-00805f9b34fb
Apple, Inc.
Descriptor (Handle 0x0015)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service002e/char002f/desc0031
00002902-0000-1000-8000-00805f9b34fb
Client Characteristic Configuration
Primary Service (Handle 0x9d80)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service0010
6e400001-b5a3-f393-e0a9-e50e24dcca9e
Nordic UART Service
Characteristic (Handle 0xd894)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service0010/char0014
6e400002-b5a3-f393-e0a9-e50e24dcca9e
Nordic UART TX
Characteristic (Handle 0xd894)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service0010/char0011
6e400003-b5a3-f393-e0a9-e50e24dcca9e
Nordic UART RX
Descriptor (Handle 0x0015)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service0010/char0011/desc0013
00002902-0000-1000-8000-00805f9b34fb
Client Characteristic Configuration
Primary Service (Handle 0x9d80)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service0001
00001801-0000-1000-8000-00805f9b34fb
Generic Attribute Profile
Characteristic (Handle 0xff84)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service0001/char0002
00002a05-0000-1000-8000-00805f9b34fb
Service Changed
Descriptor (Handle 0x0015)
/org/bluez/hci0/dev_EB_15_0C_38_C9_B0/service0001/char0002/desc0004
00002902-0000-1000-8000-00805f9b34fb
Client Characteristic Configuration
[Q1]#
hcitool and gatttool were some of the tools that were deprecated by the BlueZ project in 2017. If you are following a tutorial that uses them, there is a chance that it might be out of date. The correct tool to be using now is bluetoothctl.
If you are new to Bluetooth then using a generic Bluetooth Low Energy scanning and exploration tool like nRF Connect might be more helpful to understand what is going on. Reading up on how BLE GATT services work will help with the service > Characteristics information.
Once you can read and write with the characteristics, your next challenge will be to work out what the binary data that is being sent/received means as it looks like they are using a lot of custom characteristics.