Custom GAP advertising packet: Difference between revisions

From UNamur InfoSec
Jump to navigation Jump to search
Line 19: Line 19:


[[File:example_gap_struct.png | 700px]]
[[File:example_gap_struct.png | 700px]]
== Example Custom GAP data on Arduino (Adafruit Bluefruit LE) ==

Revision as of 13:46, 14 December 2017

We can change the content of the generic access profile (GAP) advertising packet (AP) to contain the information we want it to contain. If we have only a small amount of data we want to communicate to the world, then we can use the modified GAP AP to send that information to any BLE scanner, without waiting for it to establish a connection. In this article, we’re going to modify advertising data step by step, then receive the result with a custom-built Evothings app.

GAP data review

The general GAP broadcast’s data breakdown is illustrated in this diagram:

Gap struct.png

Every BLE package can contain a maximum of 47 bytes (which isn’t much), but:

  1. The BLE stack requires 8 bytes (1 + 4 + 3) for its own purposes.
  2. The advertising packet data unit (PDU) therefore has at maximum 39 bytes. But the BLE stack once again requires some overhead, taking up another 8 bytes (2 + 6).
  3. The PDU’s advertising data field has 31 bytes left, divided into advertising data (AD) structures. Then:
    • The GAP broadcast must contain flags that tell the device about the type of advertisement we’re sending. The flag structure uses three bytes in total: one for data length, one for data type and one for the data itself. The reason we need the first two bytes (the data length and type indications) is to help the parser work correctly with our flag information. We have 28 bytes left.
    • Now we’re finally sending our own data in its own data structure. But our own data structure also needs an indication of length and type (two bytes in total). So we have 26 bytes left.

All of which means that we have only 26B to use for the data we want to send over GAP.

And here’s what the bottom two layers of structure look like for our particular example - sending manufacturer data:

Example gap struct.png

Example Custom GAP data on Arduino (Adafruit Bluefruit LE)