This series is a regularly published note. I write it as I think, and the format is very casual. There may be typos. It records the author's process of reverse engineering Apple's private protocols. The author is also a beginner in this field, so if there are any mistakes, please feel free to criticize and correct them in the comments.
Hardware Requirements#
Non-essential condition: a room with good electromagnetic shielding (only bring in the Apple devices that need to be analyzed to reduce the difficulty of analysis)
Hardware: nRF52840 Dongle (compatible with nFR hardware is also acceptable. I purchased the nRF52840 Dongle solution from Taobao as shown in the figure below, priced at 34 yuan)
Software Requirements#
This record is based on Windows, and the configuration method is similar for Linux.
- Python Version >= 3.5 (recommended version 3.7, pyserial >= 3.5, psutil)
Python env (recommended to use Python env, no need to configure environment variables) - WireShark
- nRF Sniffer for Bluetooth LE Version 4.1.1
nRF52840 firmware: sniffer_nrf52840dongle_nrf52840_4.1.1.hex (located in the hex directory of nRF Sniffer for Bluetooth LE) - nRF Connect for Desktop (install Programmer after installation is complete)
Flashing Firmware#
Download nRF Connect for Desktop and install it, then install Programmer (as shown by the arrow in the figure below)
Download nRF Sniffer for Bluetooth LE and extract it. The firmware file and path are shown in the figure
Switch the nRF52840 Dongle to DFU Bootloader mode (press the reset button on the board), the RESET button is located where the green highlighter is in the figure, and the Reset light will turn on
Open Programmer, select the device, and drag the firmware file sniffer_nrf52840dongle_nrf52840_4.1.1.hex into the left File memory layout, then click Write to write it
After the writing is completed, the device name will change to nRF Sniffer for Bluetooth, and the flashing operation is completed like this
Installing and Configuring WireShark#
- By default, install the latest version of WireShark.
- Install Python Version >= 3.5, recommended version is 3.7, no need to configure environment variables.
- Since there are other Python environments on the author's device (used to compile Chromium), and the author does not want to contaminate them, Python venv is used to isolate them. Anyway, venv is recommended here.
nRF Sniffer for Bluetooth LE itself supports venv environment (not mentioned in the official documentation). - Copy all files under the extcap path after extracting nRF Sniffer for Bluetooth LE to C:\Program Files\Wireshark\extcap. The files and folders that must be copied are marked with a yellow highlighter in the figure.
- Start cmd with administrator privileges and switch to C:\Program Files\Wireshark\extcap
-
Enter the full path of Python.exe to create a Python venv environment
%PYTHONFULLPATH%/Python.exe -m virtualenv env
-
Insert the nRF52840 Dongle and execute
nrf_sniffer_ble.bat --extcap-interfaces
If the highlighted part in the figure below is displayed, it can be considered that the environment has been successfully set up
- Open WireShark to verify packet capture. You should be able to successfully capture Apple's BLE packets, as shown in the figure below
The protocol shown in the above figure is APPLEBLE, which is a Wireshark plugin written by the author. It will be gradually improved and released in the future.
The BLE filter condition for Apple devices is btcommon.eir_ad.entry.company_id == 0x004c
To be continued in the next part of this series.