It’s a narrative we’ve heard many instances earlier than: if you wish to get your knowledge from the Domyos EL500 elliptical coach, it’s essential use a proprietary smartphone software that talks to the machine over Bluetooth Low-Vitality (BLE). So as to add insult to damage, the one approach to the software program will export your exercise info is by producing a JPG picture of a graph. This simply received’t do, so [Juan Carlos Jiménez] offers us one more intensive write-up, which supplies a wonderful introduction to sensible BLE hacking.
He walks us via BLE GATT (Generic Attribute Profile), the commonest means such gadgets work, totally different levels of the connection course of, and the instruments you should use for sniffing an energetic connection. Then [Juan] exhibits us a number of captured messages, how to determine packet sorts, and strikes into the tastiest half — utilizing an ESP32 to man-in-the-middle (MITM) the connection.
The MITM consists of two components: a laptop computer with a Python script speaking with the Domyos EL500, and an ESP32 that’s spoofing the EL500 to a smartphone app, tied along with a serial hyperlink. You may seize all of the messages that the app and the coach are exchanging, modify them in real-time and see the response, and determine learn how to extract all the info you can dream of. That is greater than sufficient to beat the following frontier — writing a third-party app to seize exercise knowledge, and we will’t wait to see this experiment conclude.
BLE is ubiquitous and utilized in what feels to be each IoT machine beneath the solar, which makes it all of the extra fantastic that we’ve obtained one more tutorial on learn how to bend it to our will. The instruments are straightforward to seek out, too. You should use an ESP32, a Raspberry Pi, or an nRF dongle. You may even get fairly far utilizing nothing extra unique than an Android machine. No matter strategy you’re taking, the journey is bound to repay.