The Perfect BLEnd: Reverse engineering a bluetooth controlled blender for better smoothies

Good afternoon everyone and welcome to Bides Las Vegas. Um this is this is an energetic group. You you went to the bar I can tell before. Um this talk uh is going to be the the perfect blend reverse engineering a Bluetooth controlled blender for better smoothies given by Ryan Mast. Few quick announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Iikido, uh, and our gold sponsors, Formal and Drop Zone AI. It's their support along with other uh, sponsors, donors, and volunteers that make this event possible. Also, just quick note, this talk is being recorded. Uh, so if you could just make sure your phone is on silent to not disturb the uh, presenter

or the audience. And with that, I will pass it off to Ryan. All

right, thank you everyone for joining me on this quest to make better smoothies. So, first off, I just want to give you a QR code up front with a link to some resources. Uh, this will give you a few things I talk about during the talk as well as a copy of the slides that you can check out later. And then the second thing I've got which I'll give you I'll a few more moments to take a picture is a brief overview of what this talk will look like. So I'll start off with an introduction and then talk a little bit about what B looks like and how it works with this device and then we'll

reverse engineer the protocol used by the blender and then dig into the binary bit before ending with a demo and some takeaways. So let's begin. This is the Neutra Bullet Balance. It's a smart blender that the main way of controlling it and changing settings is via an app on your phone. So, that's pretty cool. Unfortunately, there are a few issues. One, I didn't like how it didn't blend. Like, every time you power it off and on, you have to open up the app again. I wish I could have like my computer in the same room just see, oh, the blender's on. I'll connect and push the preferred blender settings to it. And the other is even the super blend

profile, which is my favorite, still isn't quite so at getting everything off the bottom of the cup. So, I started looking into the protocol and then I got a new phone and this happened. So, on the left, on the right is my old phone. And as you can see on my new phone, the blender is not showing up when I try to connect, but it does on the old phone I have. So that's a bit of a problem and not looking promising. So let's see if there's a maybe a software update for this app. And what's this? It looks like the last update was There goes the screen. I'll move the mouse out of the way.

Yeah, looks like it was updated about four or five years ago for iOS 13. So, this isn't looking so promising for getting an update from the vendor. So, now we really need to figure out how to communicate with it. So, this is what my setup looked like. I have my phone and then the blender and then they communicate over Bluetooth low energy. So, some background on Bluetooth low energy. You have two different devices. So my phone is acting as the central or scanner which looks for devices nearby that are advertising their presence and then establishes the connection and the blender is acting as a peripheral or advertiser which means it says hey I'm here you can connect to me and it's the

thing that sort of stores all the different values associated with well a blender or whatever device you're connecting to. So now I want to know what that communication is. And the first thought I had was all right. I can just scann the information I want. So I installed a free app from the store. And yeah, the Neutra Bullet shows up there. So I can connect to it. And right here I get some information about the blender. At the top is the information that's getting advertised by the blender itself. And that's cool. get a unique ID for the device as well as a list of some of the services that are being advertised. So basically it gives a way of the app to

know hey this is a device that I'm interested in connecting to. Then if we go down once you've connected to the device you can see here's the different services provided by the blender and you'll notice a few things about the services. The custom services all have 128 bit unique IDs which identify what that service is. And there's also a few uh 16 bit ids which are used from the Bluetooth specification for sort of standard or common uh services. Unfortunately, there is no standard service for blenders. So, we're going to have to look at those custom services. So, taking a look at those can see a few things. A set of values called characteristics. And if we take a closer

look, you can see that again there's a 128 bit unique ID associated with each characteristic. The Bluetooth standard does

So you have read and notifications.

That's basically saying, "Hey, I want the blender to tell me when a value changes rather than me having to ask for the changes. So kind of cool. Can also see the value that that attribute has if it's readable or notifiable. And then you also have the client characteristic descriptor at the bottom which is used for some sort of behind the scenes stuff and notifications. So with this app I was able to get some picture of what services and characteristics are available and at least for the readable some idea of what they do. So using that I put together this profile. All right, here's the services and then the characteristics that make up each service and then some

guesses based on the values I saw of what they might be like, oh, I put a cup on the blender and poured stuff in the weight the value increased. That could be the weight organization of information low energy as GAD, the generic attribute protocol. And that's actually built on top of another protocol called the attribute protocol which is essentially just a flat table of indexes to the values that's currently stored for that handle. So now I want to get more information. I want to not just see what the blender is saying it supports. I also want to see what data my phone is sending to it when I change a setting. So, one thought is, all right, we can

just stick something in between this wireless Bluetooth link and intercept the communication wirelessly. So, got an NRF52 dev kit, installed some nrf, the nrf sniffer firmware on it, and then hooked up to wire and well, after a little bit of pain getting stuff installed, it worked. It was able to capture write requests. So can see that for one of the write requests it got the handle as well as the characteristic identifier. >> I'm very sorry. I believe you asked for a table for your demo. >> Oh >> yes I did. >> Thank you for speaking. >> Thank you.

So unfortunately this table's a bit too small for the blender. So I guess I'll have to resort to the video demo. Anyway, continuing on, you can see I got the service UID and the characteristic U ID for the right request that my phone sent when changing a setting to uh write to the blender as well as the value that was written. However, there are a few issues with this approach that I ran into. The first, the sniffer requires a good signal strength. So, if I didn't have it like literally right in between the two devices, then it would often just miss the connection entirely. Also, B connections, I think there's three different channels they can listen

on and the sniffer can only monitor one at a time. So, if it just happens to miss that initial connection, then again, doesn't capture anything. And the third issue was, well, it's an extra piece of hardware you have to pay for. Another point of failure, too. So, it'd be nice if we could change things so that it's directly possible on both Android and iOS. So,

and you have the host CPU which is handling higher levels of the protocol stack for uh the gap protocols. So this link that they communicate over is called HCI or the host controller interface and using Xcode packet logger we can intercept the communication that well the entire exchange that our phone has with the blender and then we can connect to the blender and then step through all the functions. All right, calibrating scale and then go through and pick each of the different blend settings one by one to capture the right requests that are being said. All right, after all them are captured, we can then go up to the drop down there and select I only want to see the events

that are getting sent from my phone to the blender. And that narrow narrows down the results to just the right events. So let's take a look at what we got. And we can see again we got the characteristic identifier as well as the value that was being written. And we got this for every single one of the settings. If we'd missed the connection initially, then you'd see something that looks a bit more like this instead. basically just see the handle and not the characteristic identifier because the initial connection is when that hierarchical information gets sent from the device to your phone. So after getting all this information I put together a table of the blend profile

how long that profile runs for and whattes are being written. So from here I have a bit of data. I can try to figure out what the meaning of those being written meanwes.

All right, it's a bit better. So immediately we can see in the second bite of each pair there's a bit of a pattern going on. So we have an a z in the slightly more complex profiles you have an alternating pattern of a zer bytes and zer. So maybe this could be telling the motor hey turn on and then turn off. So all right, working on that theory. Let's take a look at the first bite now and can take B4 and try to turn it into a decimal and see if we can notice anything. And 180 that happens to be four times the blend time of 45 seconds. So maybe this bite is for how long the motor should be on

for. We can do the same thing for the profile below it. And taking the first bite of each pair, convert them into decimal, add them up, we get 204, which is again four times the total blend time of 51 seconds. So maybe this first bite is how long it should run a step for in a second. All right. So at this point, got quite a bit of information. I could probably make an app that controls the blender. Um, however, there are still some characteristics I didn't know the purpose of. So, I decided, okay, let's pop it into Gedra or something and try to reverse engineer it a bit. And I didn't get the iOS app because it's a

bit of a pain getting iOS iOS apps. So, I got the Android one instead. Just download it from APK Pure and then used APK tool to extract the contents. and after extracting the contents end up with a folder with a bunch of different files that looked something like this. Some interesting things that showed up were hey there's a SQLite database in there. So all right let's open the app see what's in it and see a bunch of tables bit small but it's uh mostly stuff like recipe information for the app tool programs table which has things like oh super blend crush so this looks like it might have the settings for the different blender profiles and if we

take a look at the data in one of them we can see hey there's a list of steps and the times for each step match up with the profile file that we were looking at earlier. The speeds though almost match up. Remember there are a z bytes for on and 0 0 for off. Here we see a speed of 10 and zero. So maybe instead of being a bite, maybe that last bite is the first four four bits of it are the speed. Who knows? U all right. So looking a bit deeper, this is an Android app. So there is a bunch of Java stuff in it which is pretty much just UI related. However,

there are also some files called lib core.so compiled for different CPU architectures. All right, let's toss this into Gedra and see what we can find. And it turns out it does handle communication with the Blender over Bluetooth. We can see the characteristic eids and service eids if we just search for a string. However, if we follow the references and look at the code, you can see that all right, it's not immediately obvious what the functionality associated with each of those identifiers is. And we could go down the rabbit hole and try to find figure out what they do, but for the most part, it's much easier to just sniff the data and see it in real time.

So since I already had enough information to create a new app myself, all right, I'm not going to go down that path at this time. Um, however, there was another interesting thing I stumbled across. There are also some string references to Vitamix. So Vitamix, Neutra Bullet, not different companies, right? However, it seems whatever company they had make their apps maybe reused some code between them which could have some interesting implications. like, hey, if you find a buffer overflow in this, then maybe the firmware running on the blenders themselves also shares some code. Or, hey, if you can send a time that makes it run for way too long and overheats the motor, maybe you could do it to

multiple devices. So, that's kind of interesting. Now, let's summarize what we found so far. So for the GAT services and characteristics, we have the scale service and then the characteristic that we mainly care about is the weight that we're reading from the scale. If you do a GitHub search for these characteristic identifiers, you actually will find some results. And therefore a um some work someone did reverse engineering a Bluetooth enabled scale. And turns out one of the other characteristics seems to be a tar function for zeroing it out. So that's kind of another cool thing. Some coder use potentially and a product for a third different company. And then we have a summary of the

services and characteristics for the blender service which there's three things I found interesting. The last one is the blend profile settings which are just hey what sequence of on and off at what speed is getting written to the blender. The other two were a blend status, which was um basically saying, "Hey, uh the blender is running. There's no cup on yet, or I finished running and the cup is still locked in place." And then the third one was the motor status, which is basically saying, "Hey, motor's running now. Motor's off now." So, this is enough information to create an app, but I kind of suck at UI stuff and web development. So fortunately chatgp was becoming fairly capable

oneish years ago. Vibe coding wasn't quite popular yet but uh can see an initial test telling it hey give me a web Bluetooth app that connects to a blender with this name and advertising this service. Well it works. So I decided to give it a few more details. All right, here's all the other characteristics and services I found and here's the data that you should write to them. And after fixing some hallucinated identifiers and tweaking the behavior a bit, the result was not half bad and definitely much faster than if I'd read through the web Bluetooth docs and got up to speed again with JavaScript myself. So with that, let's see a demo of what

came out of it. So here we have the web app and the blender and we can see shows up and I compare with it and then it's connected to the blender. So it's getting status information on the motor and there's no cup locked in when I put the cup on and add water. You can see the scale weight is increasing. Then you can also see a time remaining 45 seconds for the standard blend. Add a drop of blue food coloring just so it's a bit easier to see it.

All right. Now, let's switch from the standard blend to a custom profile. And the first step will run at slow speed for 124 of a second, so 3 seconds. The next step will run for 3 seconds at a speed of well, slightly faster, like one step up. They'll pause for two seconds before finishing off this blend at uh full speed for two seconds or something approaching full speed. So you save the profile to write it to the blender and then we just pick up the cup and lock in place and it should it should work. All right. So now it's slow for 3 seconds and it's speeding up now and it should pause in a moment. And now full

speed for two seconds. And that there is the perfect blend for some very blue water.

All right. Neutra Bullet. I've got a few more things for you. You can scan this QR code and you'll get the GitHub page which has well the web app that was generated by chat GPT. And then the other thing I have, give you a few more moments to finish taking pictures. I also have a list of resources here, which don't worry if if you got the QR code at the start, then that has all these listed on it as well. Uh, basically a compilation of the tools that I used. And one note for those of you who have iPhones and a non-mac computer, uh there is a open source project called lib immobile device which

has a bt logger utility which you can use. Uh, so an alternative to the Xcode packet logger which requires Mac OS. And with that, thank you.

And I think we have a few minutes for questions. So somewhere there's a microphone that Yeah. So if you have a question, just raise your hand.

Did you try doing any edge cases to see, you know, hey, instead of doing 100 speed, doing 120, just seeing if it would work or not? >> Edge cases for like saying a speed that's outside the boundaries. Yeah. So, the boundaries are fairly limited. I did try setting the lower nibble to different values and it seems there's just 16 discrete speeds. So,

Thank you. Um, have you checked the pairing mechanism and how it involves all the data that you're sending over Bluetooth low energy? I mean, uh, call someone or someone else connect to your blender and start sending stuff. >> Yeah, there's no authentication or like other parent codes. That said, you are range limited by the range of Bluetooth low energy. So hopefully your neighbor isn't. >> Yeah, there is also a safety interlock that I want to call out. Uh like if you don't, there's a physical switch that has to be pressed when you lock the cup in place. >> Um I was just curious how long this project took you from start to finish to >> Well, I guess as with most projects,

things have a tendency to get spread out a bit. Um, yeah. So, I think that I'd looked at it for a while. Um, I think that I'd looked at it for a couple months just off and on and then had a long pause in between and then about a year and a half ago was like, "Okay, no, I should put together everything that I have and actually like document it." And that I think took a couple days. >> Yeah. >> Cool. Thank you,

All right. Thank you. Yeah.