How to decode a Bluetooth LE Package / Frame / Beacon of a FreeTec PX-1737-919 Bluetooth 4.0 Temperature Sensor?
It's not a beacon advertisement. The packets are the device sending three pieces of information.
- The device's local name "8BBAC49D"
- The Health Thermometer Service is available (with a current temperature measurement)
- The Battery Service is available (with a current battery level measurement)
Breakdown of this BLE discovered packet:
> 04 3E 26 02 01 03 01 B8 AB C0 5D 4C D9 1A 02 01 04 09 09 38
42 42 41 43 34 39 44 07 16 09 18 44 08 00 FE 04 16 0F 18 5B
B2
If you look at your repeat packet, you will see that each temperature measurement varies slightly, as does the battery measurement.
Here is the breakdown of the packet:
B8 AB C0 5D 4C D9 1A # Bluetooth Mac Address
02 # Number of bytes that follow in first AD structure
01 # Flags AD type
04 # Flags value 0x04 = 000000100
bit 0 (OFF) LE Limited Discoverable Mode
bit 1 (OFF) LE General Discoverable Mode
bit 2 (ON) BR/EDR Not Supported
bit 3 (OFF) Simultaneous LE and BR/EDR to Same Device Capable (controller)
bit 4 (OFF) Simultaneous LE and BR/EDR to Same Device Capable (Host)
09 # Number of bytes that follow in the first AD Structure
09 # Complete Local Name AD Type
38 42 42 41 43 34 39 44 # "8BBAC49D"
07 # Number of bytes that follow in the second AD Structure
16 # Service Data AD Type
09 18 # 16-bit Service UUID 0x1809 = Health thermometer (org.bluetooth.service.health_thermometer)
44 08 00 FE # Additional Service Data 440800 (Temperature = 0x000844 x 10^-2) = 21.16 degrees
04 # Number of bytes that follow in the third AD Structure
16 # Service Data AD Type
0F 18 # 16-bit Service UUID 0x180F = Battery Service (org.bluetooth.service.battery_service)
5B # Additional Service Data (battery level)
B2 # checksum
See the bluetooth 16-bit service UUID definitions for more information:
https://developer.bluetooth.org/gatt/services/Pages/ServiceViewer.aspx?u=org.bluetooth.service.battery_service.xml
https://developer.bluetooth.org/gatt/services/Pages/ServiceViewer.aspx?u=org.bluetooth.service.health_thermometer.xml
You can use hcidump -w dump.log
to record some packages and open it in Wireshark - which does most of the decoding for you.
The missing pices:
04 # HCI Packet Type: HCI Event (0x04)
3E # Event Code: LE Meta (0x3e)
26 # Parameter Total Length: 38
02 # Sub Event: LE Advertising Report (0x02)
01 # Num Reports: 1
03 # Event Type: Non-Connectable Undirected Advertising (0x03)
01 # Peer Address Type: Random Device Address (0x01)
Screenshot form Wireshark:
And here is the Packet in btsnoop.log format. Works with Wireshark and hcidump -r packet.log
.