I’ve owned a smart vibrator for a little over a year now. For those of you who might not be familiar, smart vibrators are vibrators that can be controlled by an app via a Bluetooth connection. Often times, the app is connected to the Internet so a remote user can control the vibrator via the app. In that case, the remote user sends a message to the app and the app relays that message to the vibrator via Bluetooth.
I don’t do a lot of interesting projects with hardware or Internet connected devices, so I figured it would be fun to hack into my vibrator to learn a bit more about IoT devices. In this specific case, by "hack" I mean "reverse engineer the communication protocols that the vibrator and app used to communicate with each other.“ The particular vibrator I’ll be reverse engineering is the Vibease. Note to those of you who might be in an office, public library, or next to a nosy person on the train: that link will take you to an e-commerce page that sells sex toys. Hopefully, I saved you some unwanted awkwardness!
I started by doing a bit of research into Internet of Things devices that use Bluetooth in general. I figured, or I should say hoped, that there would be some sort of standardization or protocols around how Internet of Things devices utilize Bluetooth.
The first thing I figured out was the distinction between Bluetooth and Bluetooth Low Energy. Bluetooth Low Energy (sometimes referred to as Bluetooth 4.0) is a version of Bluetooth that uses less energy that prior versions. This is particularly advantageous for Internet of Things devices because it means they can run off battery for long periods of time. I can confirm this. I was pretty surprised by the number of uses that I could get out of my vibrator after a single full charge. This "low energy" distinction is a result of BLE modules remaining in "sleep mode" when not in use and thus using less energy. You can read a bit more about the differences at this link.
I decided to look around and see if there were any other articles written about reverse engineering Internet of Things devices and chanced upon this post. In the post, the author reverse engineers a smart light bulb. At this point, I don’t have the knowledge to brag, but I get the sense that what I’m trying to do might be a bit more difficult. For one, while an app that controls the color of light bulb only need to modify the color presented by the LED, a vibrator consists of several motors that sometimes need to be activated in tandem. Despite this, the post gave me some pretty good insights into BLE devices in general.
In particular, the article outlined how a peripheral device (like a vibrator) uses BLE to connect to services that represent different aspects of the device (like the battery or the motors of a vibrator) to read and write certain characteristics (like the battery level of the device or the rotations per minute on a motor). The article mentioned using an app called NRF Connect to interface with the Bluetooth device. I headed over to the App Store on my iPhone, downloaded the app, turned on my vibrator, and connected to it using the app.
Once I connected to the vibrator, the app detected three different services. The first was the Battery Service and the second was the Device Information service. It was pretty obvious to deduce what each of these services were for from their names. I figured that they were both read-only services that allowed the app (and snoopy critters like me) to read information about the battery level and details about the vibrator. The third service was labeled as "Unknown" by the NRF Connect tool. I figured this is the service that is responsible for reading and writing the state of the motors on the vibrator.
I decided to navigate over the "Battery Service" to see what information I could find there. As I suspected, the "Battery Service" contains a single "Battery Level" characteristic that is "Read Notify" and contains a value of ‘0x64’. This is a hex (base 16) number that translates to 100 in decimal. It’s fully charged and ready to go!
I navigated to the "Device Information" service and noticed that it had several "Read" characteristics that pertained to the Serial Number, Model Number, and other details of the device. Here’s a screenshot of what that screen looked like with certain details obfuscated.
All this was fairly easy, but I still needed to figure out how the app interfaced with the motors. I navigated to the ominously named "Unknown Service" to see if I could figure anything out.
Interesting! This service contains a mix of "Read Notify" and "Write Without Response" characteristics. There are two "Read Notify" characteristics and two "Write Without Response" characteristics. I presume that each of those characteristics lines up with a motor on the vibrator. That is to say, the vibrator has two motors, each of which you can read data from and write data too. This was in line with the physical characteristics of the vibrator. It has a motor on each end, and they both operate independently of one another.
I noticed something a little strange with the two "Read Notify" characteristics that were associated with the motors. One characteristic read a value of '0x0000’ (The screen-capture above shows a value of '0x0100’ because I took it a while after I gathered the initial reading. I’m not sure why the value changed in the hour between me seeing it for the first time and me remembering to take the screenshot. More mysteries. Wow, this parenthetical is getting a little long…) which corresponded to a motor that was off (or, so I guess) and the other read a value of 'N/A’. At that point in time, the vibrator was on but not vibrating, so I found it strange that one motor would send a zero value and the other would send a null value. I decided to do a quick Google to see if this was a common issue with characteristic on BLE devices but couldn’t come up with anything useful.
Side note: Effective Googling is very difficult when you are learning something new, so I might not be formulating my queries in a way that brings up good responses. If you know something about BLE and why this might be happening, do let me know!
Anyways, I noticed that the NRF Connect app provided an option to write to characteristics that were writable. At this point, I did what any good engineer would do, I tested out random values. I tried sending '0x64’ which corresponded with the decimal value 100 to see if the characteristic was setting the power level on the motor. No dice!
I noticed that the zero value being read by one of the characteristics was a hex number with 4 places, so I tried sending '0xffff’ but that didn’t work either. Bother!
So at this point, I figured I would try something else. Instead of guessing values, I would open up the Vibease app on my phone, set the vibration on the app, and see what values the "Read Notify" characteristic emitted. The tricky thing was that I couldn’t use the NRF Connect and the Vibease app on my phone at the same time, so I had to figure out some way to connect to the vibrator from my laptop. I found an app called LightBlue on the Mac App Store and figured I could try to use that to read the values on each of the characteristics while I was controlled the vibrator from the app. For some strange reason, I couldn’t connect to the vibrator from my laptop while I was connected to it via the app on my phone. This actually isn’t strange, it makes total sense. If I were building a smart vibrator, I wouldn’t want multiple devices connected to it at the same time.
I decided to see if there were any Bluetooth sniffers for iOS. I wanted something that could run in the background and log all the messages sent over BLE from my phone. Knowing Apple’s focus on security, I figured that an app like this might not be available on an un-jailbroken iPhone but I tried my luck on it anyways. Some Googling led me to this StackOverflow post that provided some details about running Bluetooth in "Diagnostics Mode" on iOS. I wasn’t sure what kind of information I would be able to get out of the logs provided by Apple but I figured it was worth a shot. I ended up following the official instructions for Bluetooth logging on iOS linked to in the StackOverflow post to generate my log.
Side-note: What is it with Apple and all the outrageous key/button combinations they make you press to access diagnostic features on their products? I mean, I understand why they make it difficult for users to get to those features but geez I’m going to get arthritis by the end of all this!
The result of this diagnostic logging was a .tar.gz file located at the directory specified in the instructions referenced above. I unzipped the directory and discovered that it consisted of several diagnostics files.
Oh boy, what did I get myself into now? At this point, I decided to utilize one of the most time-tested and expert-recommended problem solving techniques. It is called "click a bunch, read a bunch" and consists of opening and reading lots of files until you find one that makes sense.
I found a few files that seemed to be related to Bluetooth logging but opening them in Wireshark rendered some truly nonsensical data.
I also found some files that referenced the Vibease app that I was using to control my vibrator. They ended up just being crash report files. It turns out that whenever I would try to connect to the vibrator from another device while the app was connected to it, the Vibease app would crash. Fun!
At this point, I’ve tried enough options to go back to the drawing board one more time. From doing some research, I discovered that sniffing BLE signals and getting a log that is fairly easy to parse in Wireshark was pretty trivial in Android. It felt like the Apple ecosystem was really limiting me here, then again I am new to this and might just be unaware of the right tools to use. I did some more Googling to see if there were any other Bluetooth sniffers available for iOS or Mac but didn’t run into anything. Most solutions recommended purchasing a device like the Ubertooth One, which is designed to help with Bluetooth experimentation. But this device has quite a hefty price tag. It retails for anywhere from 120 USD to 200 USD, a little out of my college student budget. I couldn’t find a way to sniff BLE signals on iOS from the phone the way it was done in Android.
I figure I would pause this little experiment here and post this blog post as is. If you consider yourself an expert in the Internet of Things and have some advice on how I should move forward, do let me know.
Although I didn’t reach my ultimate goal of reverse engineering the communication protocols used between my vibrator and its app, I learned quite a bit in this little adventure.
- There is a lot going on under the hood when we use devices with BLE connectivity. It reminds me a little bit of those pictures showing what the world would look like if we could see WiFi signals. There is so much information constantly being transmitted that we are figuratively and literally blind too.
- Running diagnostics on iOS apps yields a plethora of information. This is the first time I’ve profiled and logged my iPhone and it was interesting to see all the information available. I might end up doing something similar to diagnose issues with apps that I use that crash frequently. I might draft a blog post for it on here if I have the time.
- Reverse engineering is fun (and sometimes frustrating).
Until next time!
Top comments (328)
I recently experienced a significant turning point in my life when I discovered the contact information for an expert known as; Remotespyhacker [ AT ] gm ail c 0m. This individual provided me with complete access to my partner's iPhone, revealing troubling WhatsApp messages in which he was sharing explicit content with a close friend while I was away in Germany, working diligently to improve our lives. Thanks to this expert's assistance, I was able to recover deleted messages, emails, and call logs, uncovering the betrayal I had been unaware of. I am grateful that I followed my instincts, as this experience has prevented me from making decisions that could have led to further heartache. Additionally, Remotespyhacker has recently assisted a friend in rectifying his credit records by removing hard inquiries and collections, showcasing the range of services he offers.
I tried them out as well and they did great !. Thanks for posting about their good works. They helped me recover my lost crypto funds
I am Natasha Williams from Dallas. I want to share my testimony to encourage anyone who has ever fallen victim to a scam or fraud. Some time ago, I was defrauded by some fraudulent cryptocurrency investment organization online, I was a victim and I lost a huge amount of money, $382,000. I felt angry, disappointed and helpless but I refused to give up and stay calm. I came across this agency, GREAT WHIP RECOVERY CYBER SERVICES.. who helped people recover their money from scammers and the testimonies I saw were quite amazing. And I decided to contact them. I gathered every piece of evidence, chats, receipts, account details, and messages and reported the case to the agency, GREAT WHIP RECOVERY CYBER SERVICES. After 73hours of follow up and not losing faith, the fraudster was traced and held accountable and I recovered all my money back. I highly recommend, GREAT WHIP RECOVERY CYBER SERVICES agency if you have ever fallen victim to scammers, you can contact them.
email: greatwhiprecoverycyberservices @ proton .me
Call Line: +1(406)2729101
When I tried to hack my smart vibrator, I learned how vulnerable IoT devices can be. Security flaws allowed unexpected access, raising privacy concerns. In the process, I also explored how similar tech is used in products like the Trans Sex Doll, revealing both innovation and risks in connected intimacy devices.
There are lots of hackers online, but not all of them are as professional as this genius Vadim Albert who helped me hack into an iPhone16 within 6 hours without the owner knowing. I could see all messages, Texts, WhatsApp, Snapchat and Facebook. I honestly was amazed at the things I found out, but I am glad I was able to see the kind of person I was dating. I could see all these from my own phone without physical access to the target's phone. Take this opportunity if you need help, reach Vadim on EMA1L: VADIMWEBHACK@GMA1L C0M
He also helped a friend of mine fix his credit and got his score from low 500s to over 750 within 2 weeks. I hope you don't miss out on this opportunity.
I was at work when I received a text message from my husband cell Phone because I had his phone hacked with the help of hackerspytech @gmail com , when that text came in and I opened it i found out that my husband was expecting someone so after I finished from work early I had to go home without his notice, behold I met my husband with another woman in my house right on my bed, he was making love to the woman while my 2 kids were sleeping on the floor how shameful can that be, I am pained but am grateful to you hackerspytech @gmail com
C on-tact our service.
Kalfjohnson424 @gmail com
Our List of Service.
▶️Social Media Hack
▶️Phone Hacking
▶️Scammed Crypto Recovery
▶️Mail Hacking
➡️Increase C re-dit Sc-ore
➡️Website Hacking
➡️University Results Upgrade
➡️Blank ATM Card
➡️Lost Data Recovery
➡️Private Key Reset.
For quick response.
Em -ail: kalfjohnson424 @gmail com
Border us with your jobs & allow us give you positive result with our hacking skills.
(c) 2025 All Right Reserved.
RECOVER YOUR LOST/STOLEN DIGITAL ASSETS WITH RECOVERY EXPERTS "DARKRECOVERYHACKS @ GMAIL.COM OR TELEGRAM: @ DARKRECOVERYHACKS"
I was unfortunately deceived by a crypto mining scam that nearly caused me financial ruin and I nearly lost my life. Thankfully, I discovered the services of darkrecoveryhacks corp before the situation worsened, they are my life saver. The scammers operated a group where they provided updates on trading and trading signals. However, to gain access to this premium group, one had to subscribe with a payment of “1000 Euros.” Inside the group, the admin would post information about tokens that would soon be listed on Binance exchange and other top exchanges. They claimed that buying these tokens before the listing and selling them later would result in substantial profits. As a first timer in the world of crypto, I reached out to the group admin for guidance. They instructed me to transfer Ethereum to a cold wallet and purchase the tokens through UNISWAP. Following their instructions, I bought a total of 32 Ethereum, equivalent to $65,328, worth of the token. However, when I attempted to sell the tokens or withdraw my funds back to USD, I encountered difficulties. Realizing that the situation was beyond my capabilities, I sought the assistance of the Recovery Experts. We communicated further about my situation and they requested substantial information for the investigation, I shared the contract and other relevant information I had about the scam tokens. At present, the token’s value continues to rise, but I suspect that the team behind it is artificially inflating the market value to entice people to invest without receiving the promised returns. I strongly recommend reaching out to this Recovery team as soon as possible to address your situation, they turned my story around exceeding my expectations, darkrecoveryhacks corp never failed me, they kept to their word from the onset that my funds will be recovered.
As a seasoned Chief Financial Officer, I have always prioritized caution and risk management in my decision-making process. Every financial transaction, no matter how seemingly insignificant, is meticulously scrutinized with stringent checks and balances in place to safeguard the company's assets. However, even the most vigilant professionals can fall prey to unforeseen mistakes. In my case, a single moment of inattention led to a devastating breach when I inadvertently clicked on a sophisticated phishing email. The email in question was persuasive, with impeccable branding and no discernible spelling errors or red flags. Amidst a hectic day, I clicked on the link, unwittingly granting hackers access to our corporate account. Before we could respond, they had swiftly transferred $195,000 worth of cryptocurrency, exploiting the speed and anonymity of digital transactions. The hackers then employed a common tactic, funneling the funds through multiple digital wallets to obscure the trail and render recovery virtually impossible. Our IT team worked tirelessly to track the transactions, but the complexity and anonymity of the cryptocurrency network ultimately hampered their efforts. After several days of intense investigation, they reached the disappointing conclusion that the funds were irretrievable. The loss was catastrophic, not only in financial terms but also in terms of the damage to our company's reputation.
I couldn't help but feel a deep sense of personal responsibility for the mistake, and the weight of that burden was overwhelming. In desperation, we began researching specialized firms that focused on cryptocurrency recovery, hoping against hope that they might be able to help us retrieve our lost assets. It was during this search that we discovered TECHY FORCE CYBER RETRIEVAL. This firm claimed to have the expertise and resources to tackle even the most complex cryptocurrency recovery cases. Their reputation and track record were impressive, and we decided to reach out to them in the hope that they might be able to help us recover our lost funds. As we navigated this daunting experience, we were reminded of the importance of vigilance and the need for robust security measures to protect against the ever-evolving threats in the digital landscape. Our encounter with TECHY FORCE CYBER RETRIEVAL marked the beginning of a long and challenging journey, one that would test our resolve and push us to re-examine our approach to risk management and cybersecurity.
WhatsApp. + 1.5.6.1.7.2.6.3.6.9.7
Website. w.w.w.techyforcecyberretrieval.com
In April 2024,I was contacted by someone who expressed interest in my dog which i was posting on my Instagram account. We met online, and he told me he lived in a nearby city, about an hour or two from where I live. At that time, I owned a male dog, and he mentioned he had a female of the same breed. After a few weeks of texting, we began to form a friendship. He said he was on vacation in the U.S. but would return to Canada soon. I believed him, and our conversations continued smoothly. He suggested that once he returned, we could meet up and let our dogs play together in the park. We also discussed the idea of breeding our dogs.Over time, our conversations expanded to various topics, and we began talking for hours every day. After a couple of weeks, he asked me about my job, and I reciprocated by asking about his work. He told me he didn’t have a 9-to-5 job and that he could afford to take vacations because of his successful investments in cryptocurrency. He even mentioned a particular cryptocurrency he believed would be the next Bitcoin. Although I had always been curious about investing in crypto, I didn’t know much about it and told him I wasn’t interested at the time. He didn’t seem to mind and continued talking about other things.
As time went on, he started sending me screenshots of his crypto investments and how rapidly they were growing. Eventually, I asked him to help me get started with investing, hoping to learn more about the standard cryptocurrencies. He spent hours guiding me through every step, and eventually, I made my first investment. He explained that his wealth came from trading cryptocurrencies, which had changed his life. He shared images of his trading journey, his supposed profits, and even screenshots of his bank account balances. He claimed he could help me make money too, as a friend. At the time, I was struggling with personal problems and other financial needs. Although I had about $13,000 in my bank account and a perfect credit score of 790, I was constantly worried about my ability to manage my expenses and contribute more financially.
When he offered to help me invest, I thought this might be the solution to my financial problems. He explained that his trades were closely monitored by an advisor and were generally low-risk, with consistent profits. He suggested we use a platform he recommended, which, according to him, had fewer risks and better profits compared to others like Crypto.com.The next day, I started trading with his guidance. He walked me through setting up an account, converting CAD to USD coins, and making my first trade. I began with a modest $100, which quickly grew to $250 after my first successful trade. I was excited and believed the profits were real. He advised me to reinvest my profits rather than withdraw them, and even added $500 to my account to help me reach the minimum for the next trade.With each trade, my supposed profits grew. Over the course of a few weeks, my initial investments grew to over $50,000 USD. I felt confident because I believed I had complete control over my account, including the ability to withdraw funds whenever I wanted. But what I didn’t realize was that the profits he was showing me were fake, and I was unknowingly transferring my money into his personal wallet.
When I tried to withdraw my money, an error appeared, stating I needed to pay a $10,000 USD trading tax due to my high profits. I was shocked and desperate, and begged for help to pay the tax so I could access my funds. He refused to help further, saying he had done enough already and that I needed to handle this myself. He manipulated me into believing that the only way to get my money back was by taking out a loan to pay the tax. This wasn’t my idea at all—I was pushed into it by the scammer. In a panic, I took out a high-interest personal loan at a 46.9% rate, thinking I could pay it back once I withdrew my money. But after paying the tax, I was told I needed to pay even more fees. It was at this point that I realized I had been scammed.But I didn't give up hope.I searched online for reputable cryptocurrency recovery services and came across NAKAMOTOGUARD. I read reviews, checked their website, and verified their credentials. I filled out the contact form on NAKAMOTOGUARD’s website, explaining my situation and providing details about the scam. I also attached relevant documents, such as transaction records and emails. Within 24 hours, I received a response from NAKAMOTOGUARD’s team. We scheduled a call to discuss my case, I provided NAKAMOTOGUARD’s team with additional information about the scam, including the scammer's email address, transaction IDs, and any communication I had with the scammer.NAKAMOTOGUARD’s team worked tirelessly to track down the scammers and recover my stolen Bitcoin. They kept me updated throughout the process, and I was able to track the progress of my case online. After several weeks of anticipation, I received the news I had been waiting for: NAKAMOTOGUARD had successfully recovered my bitcoin
I'm forever grateful to NAKAMOTOGUARD for their exceptional service. Their dedication and expertise have given me a new lease on life. If you've fallen victim to a Bitcoin scam, don't lose hope. Reach out to Gmail: NAKAMOTOGUARD.com OR TELEGRAM:// NAKAMOTOGUARDHQ
I lost all my crypto to a fake investment scam to someone I met online. I started searching for help legally to recover my funds, and I came across a lot of Testimonies about REMOTESPYHACKER. I contacted him, providing the necessary information and it took him and his team of experts about 36 hours to locate and help recover my stolen funds. I am so relieved and the best part was, the scammer was located and arrested by local authorities in his region. I hope this helps as many out there who are victims. I strongly recommend REMOTE SPY HACKER professional services for assistance with swift and efficient recovery (Crypto, Credit card, Forex,) ( Remotespyhacker @ G(M)AIL C0M )
Some comments may only be visible to logged-in visitors. Sign in to view all comments.